RSA Authentication Manager does not save the user password when password integration is implemented with RSA Authentication Agent for Citrix StoreFront, when logging into StoreFront with Risk Based Authentication. User experiences password prompt repeatedly.
Enable verbose logging on RSA Authentication Manager and perform a RBA authentication.
You will notice below errors in opt/rsa/am/server/logs/imsTrace.log.
2019-04-11 10:58:56,440, [OARequestHandler1], (DataObjectAccessSql.java:552), trace.com.rsa.authmgr.internal.admin.common.dal.sql.DataObjectAccessSql, ERROR, sprsaam.saintpetersuh.com,,,,failed to lookup domain object of class:class com.rsa.authmgr.internal.admin.principalmgt.dal.AMPrincipal by GUID:e4263e071500cb0a1b2f26efd6e2c7a6
2019-04-11 10:58:56,441, [OARequestHandler1], (OAProcessor.java:1), trace.com.rsa.authmgr.internal.oa.engine.OAProcessor, WARN, sprsaam.saintpetersuh.com,,,,Unexpected exception during processing: PW_UPDATE_NOT_ALLOWED
com.rsa.authmgr.internal.oa.OAException: User 'venjbeverly' or agent '10.200.48.46' could not be found.
at com.rsa.authmgr.internal.oa.engine.PasswordProcessor$1.doOperation(PasswordProcessor.java:14)
at com.rsa.authmgr.internal.oa.engine.db.OACallback.doInTransaction(OACallback.java:5)
at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:131)
at com.rsa.authmgr.internal.oa.engine.db.DBUtil.doInTransaction(DBUtil.java:13)
at com.rsa.authmgr.internal.oa.engine.PasswordProcessor.doRun(PasswordProcessor.java:13)
at com.rsa.authmgr.internal.oa.engine.OAProcessor.run(OAProcessor.java:47)
at com.rsa.authmgr.internal.oa.RequestReceiver.a(RequestReceiver.java:45)
at com.rsa.authmgr.internal.oa.RequestReceiver$1.run(RequestReceiver.java:4)
at com.rsa.ims.security.spi.SimpleSecurityContextImpl.doAs(SimpleSecurityContextImpl.java:80)
at com.rsa.security.SecurityContext.doAs(SecurityContext.java:412)
at com.rsa.authmgr.internal.oa.RequestReceiver.handleConnection(RequestReceiver.java:98)
at com.rsa.authmgr.internal.common.server.TCPServer$TCPServerTask.run(TCPServer.java:689)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
at com.rsa.authmgr.internal.common.server.TCPServer$TCPServerThread.run(TCPServer.java:764)
2019-04-11 10:58:56,442, [OARequestHandler1], (RequestReceiver.java:44), trace.com.rsa.authmgr.internal.oa.RequestReceiver, ERROR, sprsaam.saintpetersuh.com,,,,Error handling OA request
com.rsa.authmgr.internal.oa.OAException: User 'venjbeverly' or agent '10.200.48.46' could not be found.
at com.rsa.authmgr.internal.oa.engine.PasswordProcessor$1.doOperation(PasswordProcessor.java:14)
at com.rsa.authmgr.internal.oa.engine.db.OACallback.doInTransaction(OACallback.java:5)
This issue has been reported in defect AM-33846 (RSA Authentication Manager does not save the user password when password integration is implemented with RSA Authentication Agent for Citrix StoreFront, when logging into StoreFront with Risk Based Authentication).
This issue has been resolved in
RSA Authentication Manager 8.4 patch 4. However, password integration works for only users added in Authentication Manager after installing the patch. Users existing in the database prior to installing patch 4 will still continue to experience the password prompt though the password integration is enabled when logged in with Risk Based Authentication. The workaround for users existing prior to the installation of patch 4 is to edit a user record and save it. That will create the additional space to save the password in RSA Authentication Manager.
To do this,
- Login to the Security Console on the primary.
- Navigate to Identity > Users > Manage Existing.
- Search for your user(s).
- From the context arrow, click Edit.
- Without making changes, click Save.
After assigning the user an RBA token,
- Click the user name again.
- In the drop down menu click User Authentication Settings.
- Put a check in Clear cached copy of selected user's Windows credentials then click Save.
Doing this creates the additional user data in the am_principal table and password integration works. Simply, if a user record is edited and closed it also helps.