RSA Cloud Authentication Service password authentication fails due to "LDAP account not permitted to authenticate via this identity router"
Article Number
Applies To
RSA Product/Service Type: Identity Router
RSA Version/Condition: all
Issue
LDAP password authentication failed - LDAP account not permitted to authenticate via this identity routerThe symplified.log of the IDR that processed the LDAP authentication, will log an event similar to the following at the time of the authentication failure:
LDAPException(resultCode=49 (invalid credentials), diagnosticMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 531, v2580 ', ldapSDKVersion=4.0.6, revision=27850)The event will also appear in the Identity Router System Log at the time of the authentication failure.
Tasks
The "workstation" for the RSA Cloud Authentication Service, is the Identity Router (IDR) that performed the password authentication for that user.
To allow the user to authenticate with the RSA Cloud Authentication Service, the user must be authorized in Active Directory to authenticate through all IDRs in your deployment.
Resolution
- Logon to the Microsoft Active Directory server as an administrator
- Open Active Directory Users and Computers
- Go to View > Advanced Features
- Navigate to the affected user, right-click and choose Properties
- Open the Attribute Editor tab
- Edit the userWorkstations attribute to add the fully-qualified domain name (DNS name) of every IDR.
- DNS names must be separated by a commas
- Alternatively, to allow the user to login to any workstation or via any IDR, delete all existing values for the userWorkstations attribute.
Notes
Related Articles
Users unable to authenticate with LDAP password on both Security Console and Self-Service Console for RSA Authentication M… Number of Views Request a Cloud Access Service Account Number of Views Backup fails with an error: "Command failed due to timeout of 3600000 milliseconds" on RSA Authentication Manager in 8.4 Number of Views Connection fails to Cloud Authentication Service when connecting through a proxy server from RSA Authentication Manager to… Number of Views Users from an external identity source are listed as disabled in the RSA Authentication Manager 8.x Security Console Number of Views
Trending Articles
Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide How to Download OTP Token Seed Files from myRSA RSA Authentication Manager 8.9 Release Notes (January 2026)
Don't see what you're looking for?
