This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

User ID does not have the correct service account role error when trying to authenticate using an RSA Authentication Manager Integration Service (AMIS) service account with the amServiceHarness-tool

Article Number

000036650

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: RSA Authentication Manager Prime, Authentication Manager Integration Service (AMIS)

Issue

The following error displays in the ../rsa/logs/amisam8.log: 
INFO ,==DC== driver created in 131ms
INFO ,~[_internal-}~Begin session context: User id: $internal$
DEBUG,~[_internal-}~Set user context on current thread ==> 29 / InstanceID 6c0399f9-a689-4114-af35-9881924d53e5
INFO ,~[_internal-}~Service account authentication for user: amis-service
DEBUG,~[_internal-}~registered users flag: false
WARN ,~[_internal-}~Attempt to autenticate service account. User id does not have the correct service account role.:  UserID: amis-service

Cause

The AMIS service account is not a member of the service account role that is defined by default in the am8-config.xml file:
  
<serviceAccount passwordDuration="25" durationWindow="5"storageAttribute="serviceAccountPolicy">
              <roles>service-accountrole1,service-accountrole2</roles> 
</serviceAccount>

Resolution

Create a new empty administrative role with no real privileges and assign it to the service account:
  1. From the RSA Security Console, navigate to Administration > Administrative Roles > Add New
  2. In the Administrative Role Name field, enter service-accountrole1 as a name for the new administrative role. 
  3. Under Administrative Scope, choose the service accounts domain. 
  4. Click Next to accept the name and domain scoping (with no changes).
  5. Click Next to accept General Permissions (with no changes).
  6. Click Next to accept Authentication Permissions (with no changes).
  7. Click Next to accept Self-Service Permissions (with no changes). 
  8. Click Save to complete the creation of the new role. 
  9. Go to IdentityUsers > Manage Existing
  10. Search for the amis-service account.
  11. Click on the context arrow next to the user ID and choose Administrative Roles > Assign More.
  12. Search for service-accountrole1.
  13. Place a check next to the role and click Assign Role

Notes

  • The service account should never be amis-bind, it's only used with AMIS directly and service account has to be a different one.
  • You either create the administrative role name service-accountrole1 or service-accountrole2.
  • You might need to restart tthe Tomcat service on the AMIS machine, after applying this change:
service tomcat-amis restart
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 07:42 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.