Microsoft Integrated Windows Authentication (IWA) fails with 'no uid mapping' error in RSA Access Manager 6.1
2 years ago
Originally Published: 2011-10-05
Article Number
000047488
Applies To
RSA Product Set: Access Manager 
RSA Product/Service Type: RSA Access Manager Agent 4.8 for IIS 6.0
RSA Version: 6.1
Platform: Microsoft Integrated Windows Authentication (IWA)
Issue
IWA Authentication fails with "no uid mapping" error.
ct_agent.log file shows the following error: 
2011-10-05 07:44:17 -0400 - [14312] - <Warning> - Agent not enabled for this virtual host
2011-10-05 07:44:17 -0400 - [428] - <Debug> - value_in_map=(null)
2011-10-05 07:44:17 -0400 - [428] - <Critical> - No uid mapping for user user1@supportlab.com at CT_WINDOWS_UPN
2011-10-05 07:44:17 -0400 - [428] - <Warning> - Failed to obtain user mapping
2011-10-05 07:44:17 -0400 - [428] - <Warning> - IWA authentication, No CT uid is available in uid mapping for user :supportlab\\user1, Status is CT_COOKIE_ERROR

 

SunOne LDAP log shows the following error: 
[05/Oct/2011:07:44:17 -0400] conn=980037 op=81682 msgId=908584 - SRCH base="ou=axm,dc=rsa.com" scope=2 filter="(&(objectClass=inetOrgPerson)(upsUserPrincipalName=user1@supportlab.com))" attrs="uid UserPrincipalName"
[05/Oct/2011:07:44:17 -0400] conn=980037 op=81682 msgId=908584 - RESULT err=11 tag=101 nentries=0 etime=0 notes=U

 
Cause
LDAP error code 11 means "admin limit exceeded".   This error may occur when a particular LDAP query results in an intermediate result set that exceeds the internal limits of the system.  The actual resource may be different on different LDAP servers and the failure may be intermittent depending on the nature of the query.  When Access Manger is doing IWA authentication it must search through all the users looking for a UPN value.  This search can be very expensive depending on the number of users in the datastore. 
Resolution
Ensure that an LDAP index is created for the user attributed used to map the windows UPN.  The attribute used for this lookup is defined in the ldap.conf file with the following parameter:
cleartrust.data.ldap.user.attributemap.windowsupn              :userPrincipalName
By default this value is set to userPrincipalName which typically already has an index in most LDAP stores, but if a custom attribute is used here you may need to add an index manually.
Don't see what you're looking for?