Authentication failed error for users with a specific administrative role when logging in to RSA Authentication Manager Prime Help Desk Admin Portal (HDAP)
Originally Published: 2020-06-08
Article Number
Applies To
RSA Product/Service Type: Authentication Manager Prime
Issue
Authentication failed
The RSA AUthentication Manager authentication activity monitor displays Authentication Successful.
In the hdap.log, the following error displays:
2020-06-08T20:25:20,097+0200,472949 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.web.LoginActionBean - Start : login()
2020-06-08T20:25:20,097+0200,472949 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.web.LoginActionBean - Start : auth()
2020-06-08T20:25:20,098+0200,472950 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.springbeans.AMISClientServiceImp -
Using token account profile named: HDAPAdmins
2020-06-08T20:25:20,098+0200,472950 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.springbeans.AMISClientServiceImp -
start :: authenticateUser()
2020-06-08T20:25:20,098+0200,472950 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.springbeans.AMISClientServiceImp -
URL : http://localhost:8080/auth/authn
2020-06-08T20:25:20,098+0200,472950 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.springbeans.AMISClientServiceImp -
AuthenticationRequest : Request Type: token, Profile: HDAPAdmins
2020-06-08T20:25:47,487+0200,500339 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.springbeans.AMISClientServiceImp -
authenticateUser <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<authenticationResult>
<authenticated>false</authenticated>
<code>-1</code>
<failed>true</failed>
<message>ACCESS DENIED</message>
</authenticationResult>
2020-06-08T20:25:47,487+0200,500339 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.web.LoginActionBean -
Authentication Failed
2020-06-08T20:25:20,097+0200,472949 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.web.LoginActionBean - Start : auth()
2020-06-08T20:25:20,098+0200,472950 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.springbeans.AMISClientServiceImp -
Using token account profile named: HDAPAdmins
2020-06-08T20:25:20,098+0200,472950 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.springbeans.AMISClientServiceImp -
start :: authenticateUser()
2020-06-08T20:25:20,098+0200,472950 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.springbeans.AMISClientServiceImp -
URL : http://localhost:8080/auth/authn
2020-06-08T20:25:20,098+0200,472950 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.springbeans.AMISClientServiceImp -
AuthenticationRequest : Request Type: token, Profile: HDAPAdmins
2020-06-08T20:25:47,487+0200,500339 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.springbeans.AMISClientServiceImp -
authenticateUser <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<authenticationResult>
<authenticated>false</authenticated>
<code>-1</code>
<failed>true</failed>
<message>ACCESS DENIED</message>
</authenticationResult>
2020-06-08T20:25:47,487+0200,500339 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.web.LoginActionBean -
Authentication Failed
In the AMIS auth.log, the following error appears:
2020-06-08T20:25:40,761+0200,com.rsa.ucm.auth,27,INFO ,Setting Authentication token to profile: Profile: [Name=HDAPAdmins]
2020-06-08T20:25:40,765+0200,com.rsa.ucm.auth,27,INFO ,Validate token: 41496241 2020-06-08T20:25:40,765+0200,com.rsa.ucm.auth,27,INFO ,Position for token ===> 1 2020-06-08T20:25:40,778+0200,com.rsa.ucm.auth,27,INFO ,Calling driver validate: ==> 41496241
2020-06-08T20:25:40,779+0200,com.rsa.ucm.auth,27,INFO ,Test to see if user is allowed hdapadmin
2020-06-08T20:25:40,780+0200,com.rsa.ucm.auth,27,INFO ,Role enforcement is enabled.. Get roles for user hdapadmin
2020-06-08T20:25:40,780+0200,com.rsa.ucm.auth,27,INFO ,AMIS url from configurations: http://localhost:8080/am8
2020-06-08T20:25:40,780+0200,com.rsa.ucm.auth,27,INFO ,Creating AMISToken @ : http://localhost:8080/am8
2020-06-08T20:25:47,061+0200,com.rsa.ucm.auth,27,INFO ,Access container.hasAccess returns false for user hdapadmin
2020-06-08T20:25:47,061+0200,com.rsa.ucm.auth,42,WARN ,Access denied to user hdapadmin
2020-06-08T20:25:47,061+0200,com.rsa.ucm.auth,27,INFO ,Begin authentication completion
2020-06-08T20:25:47,061+0200,com.rsa.ucm.auth,27,INFO ,Profile.authenticateOnly=false / Is Authenticated=false
2020-06-08T20:25:47,061+0200,com.rsa.ucm.auth,27,INFO ,End authentication completion
2020-06-08T20:25:47,091+0200,com.rsa.ucm.auth,22,DEBUG,final result ---> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<authenticationResult>
<authenticated>false</authenticated>
<code>-1</code>
<failed>true</failed>
<message>ACCESS DENIED</message>
</authenticationResult>
2020-06-08T20:25:40,765+0200,com.rsa.ucm.auth,27,INFO ,Validate token: 41496241 2020-06-08T20:25:40,765+0200,com.rsa.ucm.auth,27,INFO ,Position for token ===> 1 2020-06-08T20:25:40,778+0200,com.rsa.ucm.auth,27,INFO ,Calling driver validate: ==> 41496241
2020-06-08T20:25:40,779+0200,com.rsa.ucm.auth,27,INFO ,Test to see if user is allowed hdapadmin
2020-06-08T20:25:40,780+0200,com.rsa.ucm.auth,27,INFO ,Role enforcement is enabled.. Get roles for user hdapadmin
2020-06-08T20:25:40,780+0200,com.rsa.ucm.auth,27,INFO ,AMIS url from configurations: http://localhost:8080/am8
2020-06-08T20:25:40,780+0200,com.rsa.ucm.auth,27,INFO ,Creating AMISToken @ : http://localhost:8080/am8
2020-06-08T20:25:47,061+0200,com.rsa.ucm.auth,27,INFO ,Access container.hasAccess returns false for user hdapadmin
2020-06-08T20:25:47,061+0200,com.rsa.ucm.auth,42,WARN ,Access denied to user hdapadmin
2020-06-08T20:25:47,061+0200,com.rsa.ucm.auth,27,INFO ,Begin authentication completion
2020-06-08T20:25:47,061+0200,com.rsa.ucm.auth,27,INFO ,Profile.authenticateOnly=false / Is Authenticated=false
2020-06-08T20:25:47,061+0200,com.rsa.ucm.auth,27,INFO ,End authentication completion
2020-06-08T20:25:47,091+0200,com.rsa.ucm.auth,22,DEBUG,final result ---> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<authenticationResult>
<authenticated>false</authenticated>
<code>-1</code>
<failed>true</failed>
<message>ACCESS DENIED</message>
</authenticationResult>
Cause
Resolution
To correct the issue,
- Use the steps in View All Administrative Roles Assigned to an Administrator to confirm the user's administrative role(s) from the RSA Authentication Manager Security Console:
- Confirm that the HDAP Authentication Profile is in the <Primekit_Installation_Directory>/configs/hdap/config/lap.properties file:
...
#This property gives the profile for Token
token.authentication.profile=HDAPAdmins
...
token.authentication.profile=HDAPAdmins
...
- Check the profile configuration found in step 2. The Auth Profile configuration can be seen in the AMIS <Primekit_Installation_Directory>/configs/amis/authconfig.xml file:
<profile isDefault="false" name="HDAPAdmins" testAuthenticationToken="false">
<RequireTokenSN>false</RequireTokenSN>
<AMISUrl>${amis.url}</AMISUrl>
<AMISServiceAccount>${amis.service.account}</AMISServiceAccount>
<authorizedUsers inclusionScheme="onlyInclude" enforceRoles="true" >
<include>role:HDA-HelpDesk1,role:HDA-HelpDesk2</include>
</authorizedUsers>
</profile>
<RequireTokenSN>false</RequireTokenSN>
<AMISUrl>${amis.url}</AMISUrl>
<AMISServiceAccount>${amis.service.account}</AMISServiceAccount>
<authorizedUsers inclusionScheme="onlyInclude" enforceRoles="true" >
<include>role:HDA-HelpDesk1,role:HDA-HelpDesk2</include>
</authorizedUsers>
</profile>
- Add the user's administrative role (as it appears in the Security Console) to the list of authorized users. In the example below, the administrative roles of HDA-HelpDesk2, HDA-HelpDesk2, and HDA_Admins are on the list:
<profile isDefault="false" name="HDAPAdmins" testAuthenticationToken="false">
<RequireTokenSN>false</RequireTokenSN>
<AMISUrl>${amis.url}</AMISUrl>
<AMISServiceAccount>${amis.service.account}</AMISServiceAccount>
<authorizedUsers inclusionScheme="onlyInclude" enforceRoles="true" >
<include>role:HDA-HelpDesk1,role:HDA-HelpDesk2,role:HDA-Admins</include>
</authorizedUsers>
</profile>
<RequireTokenSN>false</RequireTokenSN>
<AMISUrl>${amis.url}</AMISUrl>
<AMISServiceAccount>${amis.service.account}</AMISServiceAccount>
<authorizedUsers inclusionScheme="onlyInclude" enforceRoles="true" >
<include>role:HDA-HelpDesk1,role:HDA-HelpDesk2,role:HDA-Admins</include>
</authorizedUsers>
</profile>
- A single user ID can be used instead of an administrative role, in case a single user must be authorized. Here, the user hdapadmin is added to the <include> statement:
<profile isDefault="false" name="HDAPAdmins" testAuthenticationToken="false">
<RequireTokenSN>false</RequireTokenSN>
<AMISUrl>${amis.url}</AMISUrl>
<AMISServiceAccount>${amis.service.account}</AMISServiceAccount>
<authorizedUsers inclusionScheme="onlyInclude" enforceRoles="true" >
<include>role:HDA-HelpDesk1,role:HDA-HelpDesk2,user:hdapadmin</include>
</authorizedUsers>
<RequireTokenSN>false</RequireTokenSN>
<AMISUrl>${amis.url}</AMISUrl>
<AMISServiceAccount>${amis.service.account}</AMISServiceAccount>
<authorizedUsers inclusionScheme="onlyInclude" enforceRoles="true" >
<include>role:HDA-HelpDesk1,role:HDA-HelpDesk2,user:hdapadmin</include>
</authorizedUsers>
- Restart the AMIS service.
Notes
- The RSA Authentication Manager Prime installation directory will differ from one environment to the other. The administrator should be aware of the installation directory. However, the subdirectories and file names will not change.
- Restarting the service steps will differ from one environment to the other. The administrator should know how to restart a certain service in their environment.
