RSA Product/Service Type: Identity Router
After completing steps to Enable RSA SecurID Token Users to Access Resources Protected by the Cloud Authentication Service, the Identity Router > Authentication Manager connection fails. The following error is seen:
2019-11-08/16:29:28.607/UTC [pool-4-thread-11] ERROR com.rsa.nga.sidproxy.SidAuthentication[265] - Failed to verify session factory
com.rsa.authagent.authapi.AuthAgentException: com.rsa.authagent.authapi.AuthAgentException: the current host is unknownIDRHOSTNAME: IDRHOSTNAME: Name or service not knowndIDRHOSTNAME: IDRHOSTNAME: Name or service not known
Where, IDRHOSTNAME is the portal hostname of the IDR defined in step 8 of Add an Identity Router using the Cloud Administration Console.
This error shows that the IDR is not able to resolve its own portal hostname.
Note: the Identity Router's portal hostname FQDN can be viewed in either of two places:
- In the Cloud Administration Console Platform > Identity Routers page, select Edit on the Identity Router. The FQDN is in the Portal Hostname field.
- In the Identity Router's Setup Console, on the Network Settings page, under Protected Application Configuration. The FQDN is in the Identity Router HostName field.
The two fields that are listed above should have the same value.
Perform the following on all IDRs in your deployment:
- If the IDR has two NICs:
- Add a static DNS entry that maps the IDR's portal hostname to its portal interface IP address. Include both the portal hostname FQDN and shortname (separated by a space) as the alias value. See step 14 of Add an Identity Router Using the Cloud Administration Console.
- If the IDR has a single NIC:
- Add a static DNS entry that maps the IDR's portal hostname to its interface IP address. Include both the portal hostname FQDN and shortname (separated by a space) as the alias value.
Adding a static DNS entry should be enough to resolve the issue; however, it should also be verified that there is an A record in DNS that maps the IDR's portal hostname to either:
- If the IDR has two NICs, use its own portal interface's IP address.
- If the IDR has a single NIC, use its own management interface's IP address.
These required tasks are listed in the document on how to Enable SecurID Token Users to Access Resources Protected by Cloud Access Service.
- See also Identity Router DNS Requirements.
- The portal interface of the IDR is also known as the proxy interface of the IDR.
Related Articles
RSA Authentication Manager stuck at startup after configuring Embedded IDR Number of Views Clarification on RSA Identity Router (IDR) Upgrade Notification (12.22.0.0.37) Number of Views How to upgrade an RSA SecurID Access IDR Number of Views Identity router (IDR) registration fails with error cannot connect to Cloud Authentication Service for RSA SecurID Access Number of Views What to expect during an RSA SecurID Access Identity Router (IDR)/Cluster software update Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA-2026-07: RSA Authentication Manager Security Update for Third-Party Component Vulnerabilities Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide
