Multifactor Authentication Proxy Request fails on RSA Authentication Manager 8.x
2 years ago
Article Number
000072184
Applies To
RSA Product Set: SecurID
RSA Product: Authentication Manager
RSA Version: 8.5, 8.6, 8.7 
Issue
Multifactor Authentication Proxy Request from AM to Cloud with reason "Initialize Request Proxied" on RSA Authentication Manager 8.x receives a response “FAIL"

MFA Proxy “Initialize” request with attemptId “xxxxxxxx....” for user “xxxxx” received a response “FAIL”

User-added image
Cause
There are various reasons for which authentications on RSA Authentication Manager can fail with "Initialize Request Proxied", running with below configurations 

1. You are running RSA Authentication Manager 8.7 SP2 and up, as a secure proxy server that sends authentication requests directly to the Cloud Authentication Service.
Configure RSA Authentication Manager as a Secure Proxy Server for the Cloud Authentication Service

2. Manually enabled the feature "Send Multifactor Authentication Requests to the Cloud" on RSA Cloud Authentication Service Configuration
Edit the RSA Cloud Authentication Service Connection

Possible deployment options. - RSA Authentication Manager Secure Proxy Server for the Cloud Authentication Service

3, AliasID of a AM user is used for authentication.
Resolution
Look for the User Event monitor on Cloud Administrative console. Fix for the issue depends on the use case of the failure as mentioned below

1. RSA Authentication Manager proxied authentication request to cloud with an invalid UserID, (UserID that doesn't exist/registered on CAS) :  INIT_CANNOT_FIND_USER

User-added image

To resolve the issue - Ensure the user exists on CAS. Manage Users for the Cloud Authentication Service


2. RSA Authentication Manager proxied authentication request to cloud is not configured with a valid policy on CAS :  INIT_CANNOT_FIND_POLICY

User-added image

Use the Access Policies page to view the list of access policies in your deployment Manage Access Policies

To resolve the issue - Enter the exact name of the access policy as specified in the Cloud Administrative Console 


3. AliasID authentication of an AM user will fail with error INIT_CANNOT_FIND_USER on the cloud event monitor.

If you had an MFA agent deployed connecting directly to AM - https://AM:5555/, the AliasID authentication that worked earlier, would no longer work with MFA Agent - using 8.7 SP2 and up, as a secure proxy server that sends authentication requests directly to the Cloud Authentication Service. 

When a cloud authentication policy is configured in the GPO, MFA agent enables proxy mode configuration. In AM proxy mode, though the connection URL is set to AM https://AM:5555/ the AM has no say, it just acts like a proxy server. So if the user is not present on CAS, there is no way to authenticate that user.

AM AliasID authentication fails during Multifactor Authentication Proxy Request. To be able to successfully authenticate with an Alias user with proxy mode configuration. The AliasID of the user needs to be configured on the CAS. 
  • If you have User's AliasID, available on Active directory as an attribute. You can configure Alternative Username for the Identity source on CAS, so the cloud understands the user referenced and authenticate successfully.

User-added image

Add, Delete, and Test the Connection for an Identity Source in the Cloud Authentication Service
Notes

 

Related Articles

Trending Articles

Don't see what you're looking for?