Users cannot authenticate successfully when the RSA SecurID token is in either Next Tokencode Mode or New PIN Mode when authentications originate from an IBM WebSeal in RSA Authentication Manager 8.x

2 years ago

Originally Published: 2015-10-21

Article Number

000042745

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Platform: IBM WebSEAL 6.1.1.x
Platform (Other): IBM Security Access Manager (formerly called IBM Tivoli Access Manager)

Issue

Users cannot authenticate successfully when the RSA SecurID token is in either Next Tokencode Mode or New PIN Mode when authentications originate from an IBM WebSeal in RSA Authentication Manager 8.x.
If the token is not in Next Tokencode Mode or New Pin Mode, authentication is successful.
Underlying the IBM WebSeal is the RSA Authentication Agent for PAM.
Both Next Tokencode Mode and New PIN Mode work as expected with the PAM acetest utility.
Therefore, the problem is specific to using WebSEAL.

Cause

IBM WebSEAL is not configured to maintain the session setting needed for RSA Agent API to complete multi-transactions like Next Tokencode Mode and New PIN Mode.

Resolution

To resolve the issue, follow the steps below.

Create a new setting in the WebSEAL configuration.

create-unauth-sessions = yes

Restart the WebSEAL application.

This will allow for successful authentications when a token is in either Next Tokencode Mode or New PIN Mode.

Notes

Note that the create-unauth-sessions = yes setting only works in WebSEAL version 6.1.1.9 or later.
If consulting with IBM Support, reference IBM PMR 40092,122,000 for more information.

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles