Users cannot authenticiate to the RSA SecurID Access Portal or protected applications using Microsoft Integrated Windows Authentication (IWA)
Originally Published: 2017-01-23
Article Number
Applies To
RSA Product/Service Type: Identity Router
Issue
Cause
An administrator can view an IDR's /var/log/symplified/symplified.log which can be obtained as described in the article on how to Generate and Download an Identity Router Log Bundle. Be sure to obtain the log bundle and check the symplified.log from all IDRs that are in use in the affected deployment.
Using a text editor, search the symplified.log looking for events logged by the component com.symplified.adapter.idp.saml2.generic.Saml2GenericIdPHandler.
A normal sequence for an IWA authentication, logged by this IDR component to symplified.log, should include the following events in the order shown:
INFO com.symplified.adapter.idp.saml2.generic.Saml2GenericIdPHandler[194] - Posting SAMLRequest to IdP endpoint: https://<IWA URL> INFO com.symplified.adapter.idp.saml2.generic.Saml2GenericIdPHandler[195] - SAMLRequest contents: <saml2p:AuthnRequest XML message> WARN com.symplified.adapter.idp.saml2.generic.Saml2GenericIdPHandler[211] - Saml 2 Generic IdP Handler handling inbound response. INFO com.symplified.adapter.idp.saml2.generic.Saml2GenericIdPHandler[263] - Inbound SAMLResponse is valid. Accepting assertion for user: <user id>
Note that there will be events from other IDR components interleaved between the above events in the symplified.log.
Examine your IDRs' symplified.log files and check for any variations to the entries above and handle accordingly. For example:
- If event message [195] is logged but [211] and [263] are not logged, it means the IDR has not received a response from the IWA server.
Resolution
- Examine the Windows Event Log on the IWA Server for any explanatory events.
- Check all of the IWA configuration on the Access Console is correct, including URLs, digital certificates, etc. See the article on how to Add Integrated Windows Authentication as an Identity Provider on RSA Link for more information.
- Check network configuration and status, including firewalls, DNS, etc.
- Contact your IWA system administrator for help troubleshooting the root cause
Workaround
Related Articles
Can the Microsoft Integrated Windows Authentication (IWA) icon be hidden in the RSA SecurID Access Application Portal? Number of Views Troubleshooting RSA SecurID Access Application Portal unsuccessful logon message due to a bad identity source bind Number of Views Troubleshooting "unsuccessful logon" failure for the SecurID Access Portal Number of Views Users are not redirected back to SAML application after authenticating to the RSA SecurID Access Application Portal during… Number of Views SecurID Access Prime: Replacing SAML Response Certificate of a SAML Identity Provider integrated with the Self-Service Portal Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
Don't see what you're looking for?
