User ID does not have the correct service account role error when trying to authenticate using an RSA Authentication Manager Integration Service (AMIS) service account with the amServiceHarness-tool
Originally Published: 2018-08-23
Article Number
Applies To
RSA Product/Service Type: RSA Authentication Manager Prime, Authentication Manager Integration Service (AMIS)
Issue
INFO ,==DC== driver created in 131ms
INFO ,~[_internal-}~Begin session context: User id: $internal$
DEBUG,~[_internal-}~Set user context on current thread ==> 29 / InstanceID 6c0399f9-a689-4114-af35-9881924d53e5
INFO ,~[_internal-}~Service account authentication for user: amis-service
DEBUG,~[_internal-}~registered users flag: false
WARN ,~[_internal-}~Attempt to autenticate service account. User id does not have the correct service account role.: UserID: amis-serviceCause
<serviceAccount passwordDuration="25" durationWindow="5"storageAttribute="serviceAccountPolicy">
<roles>service-accountrole1,service-accountrole2</roles>
</serviceAccount>
Resolution
- From the RSA Security Console, navigate to Administration > Administrative Roles > Add New.
- In the Administrative Role Name field, enter service-accountrole1 as a name for the new administrative role.
- Under Administrative Scope, choose the service accounts domain.
- Click Next to accept the name and domain scoping (with no changes).
- Click Next to accept General Permissions (with no changes).
- Click Next to accept Authentication Permissions (with no changes).
- Click Next to accept Self-Service Permissions (with no changes).
- Click Save to complete the creation of the new role.
- Go to Identity > Users > Manage Existing.
- Search for the amis-service account.
- Click on the context arrow next to the user ID and choose Administrative Roles > Assign More.
- Search for service-accountrole1.
- Place a check next to the role and click Assign Role.
Notes
- The service account should never be amis-bind, it's only used with AMIS directly and service account has to be a different one.
- You either create the administrative role name service-accountrole1 or service-accountrole2.
- You might need to restart tthe Tomcat service on the AMIS machine, after applying this change:
service tomcat-amis restart
Related Articles
How to recover from "Error: The private key could not be parsed" when trying to upload the RSA SecurID Access Identity Rou… Number of Views "Unsuccessful publish to identity routers" message when trying to publish changes in the RSA SecurID Access Cloud Administ… Number of Views Unable to read a known contact list error while trying to test RSA Authentication Manager Integration Service (AMIS) using… Number of Views Error 'cannot set user id: Resource temporarily unavailable' while trying to login or su as user oracle in RSA Identity Go… Number of Views Server certificate validation error when trying to authenticate using the RSA Authentication Agent 2.0 for AD FS Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.8 Setup and Configuration Guide
Don't see what you're looking for?
