Cloud Authentication user profile lockouts on RSA Authentication Manager for newly enabled Cloud users
4 years ago
Originally Published: 2021-06-10
Article Number
000043191
Applies To

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4, 8.5
Issue
There are two connections between Cloud Authentication Service and RSA Authentication Manager, i.e "Connection to Authentication Manager" and "Connection from Authentication Manager".

User has an MFA registered on CAS, but no MFA token registration on Authentication Manager yet.
User fatfingers/submits an incorrect Authenticate token code, User Event Monitor captures two failure messages on Cloud Authentication Service for one unsuccessful identity router authentication attempt. These attempts are counted twice against the lockout count resulting in Cloud Authentication user profile lockouts on RSA Authentication Manager. 

User-added image
User-added image
User-added image
Resolution
This issue has been fixed with RSA Authentication Manager 8.5 P3 release. Upgrading RSA Authentication Manager 
Workaround
  1. Unlock the user profile from Dashboard.
    User-added image
     
  2. A new configuration value allows you to specify the authentication agent name used by the identity router which is acting as an agent to Authentication Manager as described in Enable RSA SecurID Token Users to Access Resources Protected by the Cloud Authentication Service. The configuration value prevents the same agent from being counted twice. You must add the authentication agent name as specified in RSA Authentication Manager. Do the following:
  3. Launch an SSH client, such as PuTTy.
  4. Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.
Note that during Quick Setup another username may have been selected. Use that username to login.
  1. Navigate to /opt/rsa/am/utils. 
  2. Run the following command line utility (CLU) to add the authentication agent name: 
./rsautil store -a add_config auth_manager.cas.authentication.runtime.skip.agentnames "<Agent name>" GLOBAL STRING 
login as: rsaadmin
Using keyboard-interactive authentication.
Password:
Last login: Tue Jun 05 07:52:43 2021 from 192.168.20.100
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am85p:~> cd /opt/rsa/am/utils
rsaadmin@am85p:/opt/rsa/am/utils> ./rsautil store -a add_config auth_manager.cas.authentication.runtime.skip.agentnames "cas2am" GLOBAL STRING
Please enter OC Administrator username: ocadmin
Please enter OC Administrator password: ********
psql.bin:/tmp/cd192016-7ab2-41c1-b001-0c012fe1a7873828816399055336931.sql:108: NOTICE:   Added the new configuration parameter "auth_manager.cas.authentication.runtime.skip.agentnames" with the value "cas2am"
 add_config
------------
(1 row)
rsaadmin@am85p:/opt/rsa/am/utils>

To update the authentication agent name, run the following command:
./rsautil store -a update_config auth_manager.cas.authentication.runtime.skip.agentnames "<Agent name>" GLOBAL STRING
  1. Change directories to /opt/rsa/am/server. 
  2. Navigate to /opt/rsa/am/server and restart all RSA Authentication Manager services for the change to take effect. How to stop, start, and restart RSA Authentication Manager 8.x services at the command line

Related Articles

Trending Articles

Don't see what you're looking for?