Article Number
000027670
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.0 patch 5 and earlier, 8.1
Issue
When logging in to either the RSA Authentication Manager Security Console or Self-Service Console with an LDAP password, the following error displays:
Administrator cannot authenticate to Security Console using LDAP password
The Authentication Activity monitor or report indicates:
ERROR,13002,Principal authentication,User "<userID>" attempted to authenticate using authenticator "LDAP_Password". The user belongs to security domain "SystemDomain",Failure,AUTHN_METHOD_FAILED,Authentication method failed
Tasks
Authentication Manager password policy default is to require password change every 90 days. This policy applies to LDAP passwords independently from LDAP server policy.
The LDAP password is expired from the Authentication Manager's perspective and requires update.
Because the connection between Authentication Manager and the LDAP server is using insecure ldap (no encryption) password update is not allowed.
Resolution
To enable LDAP password updates during console login, a secure LDAPS connection between the Authentication Manager and the LDAP server must be established. Reference Chapter 5 of the
Authentication Manager Administrators Guide, which discusses
integrating LDAP directories and securing the communications path.
Alternatively, disable password expiration:
- Login to the Security Console with an account in the internal database (not an AD or SunOne account) that has full super admin privileges.
- Navigate to Authentication > Policies > Password Policies > Manage Existing and click on the policy being used for the affected Security Domain and click Edit.
- In the Lifetime section, uncheck Require periodic password changes.
- Click Save.
Notes
Authentication Manager 8.0 Patch 6 and Authentication Manager 8.1 Patch1 include fixes for this issue
