This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Authentication failed error for users with a specific administrative role when logging in to RSA Authentication Manager Prime Help Desk Admin Portal (HDAP)

Article Number

000038981

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager Prime

Issue

When logging in to RSA Authentication Manager Prime Help Desk Admin Portal (HDAP) as a user with a specific role, the following error displays on the HDAP webpage:
 
Authentication failed

The RSA AUthentication Manager authentication activity monitor displays Authentication Successful.

In the hdap.log, the following error displays:
 
2020-06-08T20:25:20,097+0200,472949 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.web.LoginActionBean - Start : login()
2020-06-08T20:25:20,097+0200,472949 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.web.LoginActionBean - Start : auth()
2020-06-08T20:25:20,098+0200,472950 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.springbeans.AMISClientServiceImp -
Using token account profile named: HDAPAdmins
2020-06-08T20:25:20,098+0200,472950 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.springbeans.AMISClientServiceImp -
start :: authenticateUser()
2020-06-08T20:25:20,098+0200,472950 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.springbeans.AMISClientServiceImp -
URL : http://localhost:8080/auth/authn
2020-06-08T20:25:20,098+0200,472950 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.springbeans.AMISClientServiceImp -
AuthenticationRequest : Request Type: token, Profile: HDAPAdmins
2020-06-08T20:25:47,487+0200,500339 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.springbeans.AMISClientServiceImp -
authenticateUser <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<authenticationResult>
<authenticated>false</authenticated>
<code>-1</code>
<failed>true</failed>
<message>ACCESS DENIED</message>
</authenticationResult>
2020-06-08T20:25:47,487+0200,500339 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.web.LoginActionBean -
Authentication Failed

In the AMIS auth.log, the following error appears:
 
2020-06-08T20:25:40,761+0200,com.rsa.ucm.auth,27,INFO ,Setting Authentication token to profile: Profile: [Name=HDAPAdmins]
2020-06-08T20:25:40,765+0200,com.rsa.ucm.auth,27,INFO ,Validate token: 41496241 2020-06-08T20:25:40,765+0200,com.rsa.ucm.auth,27,INFO ,Position for token ===> 1 2020-06-08T20:25:40,778+0200,com.rsa.ucm.auth,27,INFO ,Calling driver validate: ==> 41496241
2020-06-08T20:25:40,779+0200,com.rsa.ucm.auth,27,INFO ,Test to see if user is allowed hdapadmin
2020-06-08T20:25:40,780+0200,com.rsa.ucm.auth,27,INFO ,Role enforcement is enabled.. Get roles for user hdapadmin
2020-06-08T20:25:40,780+0200,com.rsa.ucm.auth,27,INFO ,AMIS url from configurations: http://localhost:8080/am8
2020-06-08T20:25:40,780+0200,com.rsa.ucm.auth,27,INFO ,Creating AMISToken @ : http://localhost:8080/am8
2020-06-08T20:25:47,061+0200,com.rsa.ucm.auth,27,INFO ,Access container.hasAccess returns false for user hdapadmin
2020-06-08T20:25:47,061+0200,com.rsa.ucm.auth,42,WARN ,Access denied to user hdapadmin
2020-06-08T20:25:47,061+0200,com.rsa.ucm.auth,27,INFO ,Begin authentication completion
2020-06-08T20:25:47,061+0200,com.rsa.ucm.auth,27,INFO ,Profile.authenticateOnly=false / Is Authenticated=false
2020-06-08T20:25:47,061+0200,com.rsa.ucm.auth,27,INFO ,End authentication completion
2020-06-08T20:25:47,091+0200,com.rsa.ucm.auth,22,DEBUG,final result ---> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<authenticationResult>
<authenticated>false</authenticated>
<code>-1</code>
<failed>true</failed>
<message>ACCESS DENIED</message>
</authenticationResult>

Cause

Role enforcement is enabled as shown in the authentication log. That means that RSA Authentication Manager Integration Service (AMIS) is configured to allow login to HDAP for a specified number of administrative roles. The issue is that the authenticating user's administrative role is not added to the authorized list in AMIS. 

Resolution

To correct the issue, 
  1. Use the steps in View All Administrative Roles Assigned to an Administrator to confirm the user's administrative role(s) from the RSA Authentication Manager Security Console:
 Image descriptionImage description
  1. Confirm that the HDAP Authentication Profile is in the <Primekit_Installation_Directory>/configs/hdap/config/lap.properties file:
...
#This property gives the profile for Token
token.authentication.profile=HDAPAdmins
...
  1. Check the profile configuration found in step 2. The Auth Profile configuration can be seen in the AMIS <Primekit_Installation_Directory>/configs/amis/authconfig.xml file:
<profile isDefault="false" name="HDAPAdmins" testAuthenticationToken="false">
    <RequireTokenSN>false</RequireTokenSN>
    <AMISUrl>${amis.url}</AMISUrl>
    <AMISServiceAccount>${amis.service.account}</AMISServiceAccount>
    <authorizedUsers inclusionScheme="onlyInclude" enforceRoles="true" >
        <include>role:HDA-HelpDesk1,role:HDA-HelpDesk2</include>
    </authorizedUsers>
</profile>
  1. Add the user's administrative role (as it appears in the Security Console) to the list of authorized users. In the example below, the administrative roles of HDA-HelpDesk2, HDA-HelpDesk2, and HDA_Admins are on the list:
<profile isDefault="false" name="HDAPAdmins" testAuthenticationToken="false">
    <RequireTokenSN>false</RequireTokenSN>
    <AMISUrl>${amis.url}</AMISUrl>
    <AMISServiceAccount>${amis.service.account}</AMISServiceAccount>
    <authorizedUsers inclusionScheme="onlyInclude" enforceRoles="true" >
        <include>role:HDA-HelpDesk1,role:HDA-HelpDesk2,role:HDA-Admins</include>
    </authorizedUsers>
</profile>
  1. A single user ID can be used instead of an administrative role, in case a single user must be authorized. Here, the user hdapadmin is added to the <include> statement:
<profile isDefault="false" name="HDAPAdmins" testAuthenticationToken="false">
    <RequireTokenSN>false</RequireTokenSN>
    <AMISUrl>${amis.url}</AMISUrl>
    <AMISServiceAccount>${amis.service.account}</AMISServiceAccount>
    <authorizedUsers inclusionScheme="onlyInclude" enforceRoles="true" >
        <include>role:HDA-HelpDesk1,role:HDA-HelpDesk2,user:hdapadmin</include>
</authorizedUsers>
  1. Restart the AMIS service.

Notes

  • The RSA Authentication Manager Prime installation directory will differ from one environment to the other. The administrator should be aware of the installation directory. However, the subdirectories and file names will not change. 
  • Restarting the service steps will differ from one environment to the other. The administrator should know how to restart a certain service in their environment.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 10:05 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.