Users cannot authenticate successfully when the RSA SecurID token is in either Next Tokencode Mode or New PIN Mode when authentications originate from an IBM WebSeal in RSA Authentication Manager 8.x
2 years ago
Originally Published: 2015-10-21
Article Number
000042745
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Platform: IBM WebSEAL 6.1.1.x
Platform (Other): IBM Security Access Manager (formerly called IBM Tivoli Access Manager)
Issue
  • Users cannot authenticate successfully when the RSA SecurID token is in either Next Tokencode Mode or New PIN Mode when authentications originate from an IBM WebSeal in RSA Authentication Manager 8.x.
  • If the token is not in Next Tokencode Mode or New Pin Mode, authentication is successful.
  • Underlying the IBM WebSeal is the RSA Authentication Agent for PAM.
  • Both Next Tokencode Mode and New PIN Mode work as expected with the PAM acetest utility.
  • Therefore, the problem is specific to using WebSEAL.
Cause
IBM WebSEAL is not configured to maintain the session setting needed for RSA Agent API to complete multi-transactions like Next Tokencode Mode and New PIN Mode.
Resolution
To resolve the issue, follow the steps below.
  1. Create a new setting in the WebSEAL configuration.
create-unauth-sessions = yes
  1. Restart the WebSEAL application.

This will allow for successful authentications when a token is in either Next Tokencode Mode or New PIN Mode.
 
Notes
Note that the create-unauth-sessions = yes setting only works in WebSEAL version 6.1.1.9 or later.
If consulting with IBM Support, reference IBM PMR 40092,122,000 for more information.

Related Articles

Trending Articles

Don't see what you're looking for?