This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Authentications failing after changing the directory password for the Directory User ID in the Identity Source Configuration for RSA Authentication Manager 8.1 SP1

Article Number

000035185

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP 1 or later

Issue

  • An administrator has configured an identity source for mapping user and group information from Microsoft Active Directory to an Authentication Manager deployment.
  • The customer has a password policy that requires all Windows passwords must change on a regular basis (e. g., every 90 days) which has an impact on the Directory User ID in the identity source configuration.
  • Following the password policy, the directory password for the Directory User ID was changed and the connectivity to the identity source was confirmed being successful using the Test Connection button and/or Validate Connection Information button.
  • After the directory password is changed, the end user authentications were found to be failing and users are no longer searchable in the Security Console for the identity source in question.
  • The System Activity Monitor (Security Console > Reporting > Real-time Activity Monitors > System Activity Monitor)  reports failures for the connecting to the identity source.

Cause

The Authentication Manager deployment is caching the old credentials and using them to query the identity source; and this, in turn, eventually locks the Directory User ID used to query the identity source.

Resolution

Where the Directory Password for the Directory User ID must be changed then use the following procedure:

Where there is a single replica instance in the Authentication Manager deployment

  1. From the Operations Console, flush cached data on the replica instance (Maintenance > Flush Cache).  You will be prompted to enter the super admin credentials.
  2. Select Flush all cache objects.
  3. Click Flush.
  4. Connect to the replica instance via the local console or via an SSH session using the rsaadmin account.

Note that during Quick Setup another user name may have been selected. Use that user name to login.

  1. Stop the Authentication Manager services on the replica instance using the command:
/opt/rsa/am/server/rsaserv stop all
  1. Launch the Operations Console and navigate to Deployment Configuration > Identity Sources > Manage Existing.
  2. Click on the identity source in question and choose Edit.
  3. On the Configuration tab, update the Directory Password for the primary and all replica instances listed.
  4. Use the Test Connection and Validate Connection Information buttons to confirm a successful connection to the identity source from the primary and all replica instances listed.
  5. Use the Save and Finish button to save the directory password for primary and all replica instances listed.
  6. From the primary's Operations Console, flush cached data on the primary by selecting Maintenance > Flush Cache.  You will be prompted to enter the super admin credentials.
  7. Select Flush all cache objects.
  8. Click Flush.
  9. Connect to the primary instance via the local console or via an SSH session using the rsaadmin account.

Note that during Quick Setup another user name may have been selected. Use that user name to login.

  1. Restart the  Authentication Manager services on the primary instance using the command:
/opt/rsa/am/server/rsaserv restart all
  1. Connect to the replica instance via the local console or via an SSH session using the rsaadmin account.
  2. Restart the  Authentication Manager services on the replica instance using the command:
/opt/rsa/am/server/rsaserv start all


Where there are multiple replica instances in the Authentication Manager deployment 

  1. From the replica's Operations Console, flush cached data by selecting Maintenance > Flush Cache.  You will be prompted to enter the super admin credentials.
  2. Select Flush all cache objects.
  3. Click Flush.
  4. Reboot the appliance from the Operations Console by selecting Maintenance > Reboot Appliance.
  5. Check Yes, reboot the appliance.
  6. Click Reboot.
  7. From the Security Console, verify that users are searchable on the primary and replica instances (Identity > Users > Manage Existing.
  8. Change the Identity Source name in the Search Criteria and click Search button. It is expected that a list of users are returned.  Use the System Activity Monitor in the Security Console (Reporting > Real-time Activity Monitors > System Activity Monitor) to check system activity to the identity source.
  9. Perform test authentication using the user IDs mapped from the identity source to confirm the Authentication Manager can process those authentications.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 05:38 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.