Only one UPN suffix works with OAM plugin for RSA-integrated Authentication

Only one UPN suffix works with OAM plugin for RSA-integrated Authentication while others give "CredentialsRejected" error
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-
Has anyone seen this before and might know the answer? Any suggestions? Thanks!
I have setup an OAM authentication scheme that uses a custom plugin to use RSA ACE server - all pretty much exactly as it is outlined in the chapter called "Integrating the RSA SecurID Authentication Plug-in" in Oracle Access Manager Integration Guide. Here's the problem:
Everything works fine when I use a particular UPN suffix to login to the RSA Securid Login form that is presented, eg. [email protected], but if I create another user that uses a different UPN suffix as defined in Active Directory, (eg. [email protected]), the credentials are rejected. This happens before the secuirid.pl script even gets a chance to run. After hitting "POST" the user is present with the same login screen he was just at, as expected during an authentication failure.
More info:
- I have performed successful anonymous ldap queries for both users in Active Directory using LDP. Both users exist in the same domain and in the same OU. If I change the UPN (in AD and the RSA database) to something different from the "good" one, on either user, it fails. If I change the UPN to the "good one" on either user (in AD and the RSA database) it works.
- if I test users with either the "good" or the "bad" UPN via the RSA agent tester that sits on the OAM box, both of them show as authenticating successfully. However, it doesn't work for the "bad" UPN when I try to access via a web browser on a remote client (but does work with the "Good" UPN)
- I am not using SSL in any of this yet, it's all http://
- yes, I already got rid of the "-w" parameter in the first line of the perl script, as per the "login can fail if the Login Attribute Contains an "@" Character in Integration Guide Troubleshooting section
- here's an example of the settings in rsa securid authentication scheme:
action:/OracleAccessManager/securid-cgi/securid.pl
form:/OracleAccessManager/securid-forms-adforest/securid-std-login.html
creds:login password domain newpin newpin2
passthrough:yes
authn_securid fullformdir="C:\apache\Apache2\htdocs/OracleAccessManager/securid-forms-adforest/",machine="MyComputer.mydomain.com:80"
credential_mapping obMappingBase="%domain%",obMappingFilter="(&(objectclass=user)(userPrincipalName=%login%))"
Environment:
OAM 7.0.4.3
RSA Ace Server 5.2
Windows 2003 domain with multiple UPNs defined in Active Direcory Domains and Trusts
Error as seen in the oblog.log for the webgate on the server that holds the RSA login pages and perl script:
Message^A plugin for the authentication scheme SecurID Authentication has denied authentication for credentials ([email protected]
password=(omitted) domain=dc=ourdomain,dc=com newpin= newpin2= Resource=/OracleAccessManager/securid-cgi/securid.pl RequesterIP=10.250.1.2 Operation=POST).
ReqReq^POST /OracleAccessManager/securid-cgi/securid.pl HTTP/1.1 ReqProto^HTTP/1.1 ReqHost^www.MyComputer.mydomain.com. ReqStatLine^
ReqStatus^200 ReqRawUri^/OracleAccessManager/securid-cgi/securid.pl ReqUri^/OracleAccessManager/securid-cgi/securid.pl
ReqFilename^C:/apache/Apache2/htdocs/OracleAccessManager/securid-cgi/securid.pl ReqPath^ ReqArgs^
2009/07/13@15:19:49.665000 45688 46472 AUTHENTICATION ERROR 0x00001515
\Oblix\coreid\palantir\webgate\src\authentication_event_handler.cpp:1361 "Authentication failed" HTTPStatus^401
authenticationSchemeName^SecurID Authentication AuthenticationStatus^majorCode = 11[CredentialsRejected], minorCode = 47[AuthnPluginDenied],
StatusMsg = , GSN = 0, needInfo = NONE Creds^[email protected] password=(omitted) domain=dc=ourdomain,dc=com newpin= newpin2=
Resource=/OracleAccessManager/securid-cgi/securid.pl RequesterIP=10.250.1.2 Operation=POST
Only error seen in log produced by the RSA agent that sits on the Access server:
[20804] 12:27:08.915 File:ACNETSUB.C Line:326 # CheckServerAddress: server 0 detected from address 10.250.88.100
[20804] 12:27:08.915 File:udpmsg.c Line:968 # Entering decrypts_ok_legacy()
[20804] 12:27:08.915 File:udpmsg.c Line:999 # decrypts_ok_legacy: decrypt() wpcode1 failed; wpcode0 next ***********
[20804] 12:27:08.915 File:udpmsg.c Line:1089 # Leaving decrypts_ok_legacy(), result=1
[20804] 12:27:08.915 File:ACEXPORT.C Line:820 # Entering AceGetUserData()
[20804] 12:27:08.915 File:ACEXPORT.C Line:833 # Leaving AceGetUserData() return: ACE_SUCCESS
[20804] 12:27:08.915 File:ACEXPORT.C Line:579 # Entering AceGetAuthenticationStatus()
[20804] 12:27:08.915 File:ACEXPORT.C Line:592 # Leaving AceGetAuthenticationStatus() return: ACE_SUCCESS

What are the logs you see at the ACE server end? You can try passing an additional parameter debug="true" to the authn_securid plug-in - it should generate some more logs at the access server - I think in apps\common\bin.
Also does "ReqHost^www.MyComputer.mydomain.com" look right in the logs?
-Vinod

Similar Messages

  • Only one headphone ear works with my skullcandy he...

    What headphones are capable with this phone. My skull candys have no MIC but everytime I try with different headphones the same thing happens only the right ear works. Non of the headphones I tried with my Nokia had any mics so do I need headphones with mics in order for the phone to play the music correctly with both ears, not only the right ear.

    jcooper,
    Welcome to Nokia Discussions!
    Most universally designed headphones or earphones should work with any Lumia device in stereo output. Audio devices designed to work with phones from other manufacturers, may partially or not work at all with a Lumia. If we say partially - it produces sound but the microphones or in-line controls won't work.
    In your case, it can possibly be the headphone jack causing the problem. You may send the phone to a Nokia Care Centre near you for proper diagnostics, if your phone is still within the warranty and marked valid by the Care Agent, you will not be charged for the repairs to be done.
    Good luck

  • All my saved layers disappeared. Shows only one locked black layer.with red sripes

    All my saved layers disappeared. Shows only one locked black layer.with red sripes

    Apple changed the save behaviour several times in the past few versions of MacOsX - there is a good article about this:
    http://www.macobserver.com/tmo/article/os-x-mountain-lion-how-apple-rescued-save-as
    The trouble is, you should (I know, not much of a help to you at this point) always create backups AND work with versions. So save many versions (x1, x1a, x2, x2a, etc), because when you work within one master file you run the risk of these type of accidents and there is always a tiny change your file becomes corrupt for some external reason. You never know. Disk space is cheap, losing your work is often a real hassle, and can become very problematic when dealing with clients.
    So, save many versions, and make backups of your work. And never NEVER open your original files in any other software - always use a duplicate. You never know what that software might do to your files.
    Anyway, have you tried searching for the file name on your mac? Maybe, just maybe there is a duplicate lying around somewhere with the layers intact.

  • Only one audio canal works

    Hello folks, I've had my iPhone 3G for over a year now, but now the first problem has occured. When have my headphones plugged in, there is only sound on the left of them. The same thing happens when I want to listen to music through the speakers. Only one of them work. How can I get back to stereo sound?

    The iPhone includes a single external speaker. The opposite grill that appears the same is the microphone.
    Do you have access to another set of earbuds to try to determine if the problem is with your earbuds or with the iPhone?

  • ITunes has stopped allowing me to import CDs. if I reboot it will import one, and only one. all was working fine before. the itunes diagnostics have all green lights

    iTunes has stopped allowing me to import CDs. if I reboot it will import one, and only one. all was working fine before. the itunes diagnostics have all green lights

    For general advice see Troubleshooting issues with iTunes for Windows updates.
    The steps in the second box are a guide to removing everything related to iTunes and then rebuilding it which is often a good starting point unless the symptoms indicate a more specific approach. Review the other boxes and the list of support documents further down page in case one of them applies.
    Your library should be unaffected by these steps but there is backup and recovery advice elsewhere in the user tip.
    If you've already tried a complete uninstall and reinstall try opening iTunes in safe mode (hold down CTRL+SHIFT as you start iTunes) then going to Edit > Preferences > Store and turning off Show iTunes in the Cloud purchases. You may find iTunes will now start normally.
    You could also try working through
    TS1717: iTunes for Windows Vista, Windows 7, or Windows 8: Fix unexpected quits or launch issues
    tt2

  • Does anyone have the problem of only one ear plug working on the life case for iPhone?

    I have a life case for my iPhone...when I add my earphones to it, only one ear phone works...?

    What troubleshooting steps have you taken?
    Try these:
    - Quit the App by opening multi-tasking bar, and swiping the App upward to make it disappear.  (For iOS 6, holding down the icon for the App for about 3-5 seconds, and then tap the red circle with the white minus sign.)
    - Relaunch the App and try again.
    - Restart the device. http://support.apple.com/kb/ht1430
    - Reset the device. (Same article as above.)
    - Reset All Settings (Settings > General > Reset > Reset All Settings)
    - Restore from backup. http://support.apple.com/kb/ht1766 (If you don't have a backup, make one now, then skip to the next step.)
    - Restore as new device. http://support.apple.com/kb/HT4137  For this step, do not re-download ANYTHING, and do not sign into your Apple ID.

  • I have the ipad 1, ios 5.1 is its max, and garage band requires ios 7.0, how do i buy garage band version 1.3, its the only one that will work, apple is so hard to get a hold of on these kind of things.

    I have the ipad 1, Ios 5.1 is its max, and garage band requires ios 7.0, how do i buy garage band version 1.3, its the only one that will work, apple is so hard to get a hold of on these kind of things.

    Unfortunately the answer is still no.

  • Working with Outlook 2011 for Mac, my mails are slow and I can work only on-line, when off-line, mail cannot be opened because it is only partially downloaded. How to solve??

    working with Outlook 2011 for Mac, my mails are slow and I can work only on-line, when off-line, mail cannot be opened because it is only partially downloaded. How to solve??

    Try http://www.microsoft.com/mac/support.

  • Hello, i'm using Iphone 5, with ios 7  . I have one old macbook, working with mac osx 10.6.8 and itunes last version updated. Itunes do not synchronize new contacts from my Iphone to my adress book mac.  What can i do ?

    Hello, i'm using Iphone 5, with ios 7  . I have one old macbook, working with mac osx 10.6.8 and itunes last version updated. Itunes do not synchronize new contacts from my Iphone to my adress book mac.  What can i do ?

    Hello, i'm using Iphone 5, with ios 7  . I have one old macbook, working with mac osx 10.6.8 and itunes last version updated. Itunes do not synchronize new contacts from my Iphone to my adress book mac.  What can i do ?

  • I want to buy iPad Air online, how do I know the one that can work with Nigeria gsm network.

    I want to buy iPad Air online, how do I know the one that can work with Nigeria gsm network.

    Take a look at HeadRoom (headphone.com). It's a fabulous resource for all types of headphones, with great guides and useful reviews.
    http://www.headphone.com/

  • I have set hyperlinks within my ibook author document, they work perfectly until i export and view on the ipad, when only one or none work, (hyperlinks to website not working at all) what am i doing wrong?

    I have set hyperlinks within my ibook author document, they work perfectly until i export and view on the ipad, when only one or none work, (hyperlinks to website not working at all) what am i doing wrong?

    An external hyperlink should handoff to Safari and leave iBooks.
    If that's not happening, perhaps there is something misconfigured on your iPad? Have you manually confirmed those links work in Safari on your iPad?

  • Does any one have experience working with Apache Open Office?  I have OS X 10.6

    does any one have experience working with Apache Open Office?  I have OS X 10.6

    So the answer to your extremely vague query is Yes, some users have experience with OpenOffice.
    Now Zoom in on EXACTLY the issues that are on your mind, and post them here.

  • Am I the only one experiencing battery drain with the 6.1.3 upgrade?  It went from 100% to 63% in 7 hours WITH NO USE!

    Am I the only one experiencing battery drain with the 6.1.3 upgrade?  It went from 100% to 63% in 7 hours WITH NO USE!  I've had worse luck with the i5 than the i4.  This is the first time I regret being in a two year contract.  I might add that this is my 3rd i5

    So now 12 days later and another replacement I'm still having issues and apple still isn't helping. My phone has started shutting off unexpectedly again today. Does anyone have any suggestions on where to go from here?
    <Edited by Host>

  • Which PC is recommended by Microsoft that ACTUALLY meet the requirements to work with software development for kinect for windows?

    My PC serves the minimum requirements described in the kinect page, but when installing the device, the software says that the computer does not meet the minimum requirements and therefore will not work with efficiency. Alternatively, theorize buy a new
    computer.
    Which PC is recommended by Microsoft that ACTUALLY meet the requirements to work with software development for kinect for windows?

    Getting a definitive answer from Microsoft will be difficult as to my understanding, requirements are still subject to change; and unless it's their brand of PC  I doubt they will give free advertisement to buy a specific make/model.
    There are other threads where people discuss specific machines that work with the Kinect V2.  
    The only compatibility problems I've had with getting it to work are: It has to be run Windows 8; It has to have a compatible USB 3.0;  The 'Compatible' USB 3.0 requirement seems to be the most difficult.

  • Am I the only one that has had every charging cable (for my iPhones and my iPads) fail? Very frustrating. I got used to quality products from Apple but seems the small stuff is being overlooked nowadays.

    Am I the only one that has had every charging cable (for all of my iPhones and all of my iPads) fail? Very frustrating. I got used to quality products from Apple but seems the small stuff is being overlooked nowadays!

    I have yet to have a cable for my iPad 3, iPad 4 or iPhone 5 fail. I have multiple cables for each device without any failures.

Maybe you are looking for

  • How to display the variable screen with report in the same page together

    our customers want to design a web application use BEx they want the variable screen can be displayed with the report result in the same web page together so they can modify the variable filters any time and refresh the report with new variable filte

  • For Full performance You need a Higher voltage AC Adapter Message

    Hello, I have a HP G70-460US Laptop since October 10,2009. About three days ago, the laptop started showing me a system message about the AC Adapter. The message says: For Full performance you need a higher voltage AC adapter. I verified the AC Adapt

  • Sqlcode and sql%rowcount as test conditions

    I am translating a procedure from Ingres to oracle. I use the Oracle sqlcode and sql%rowcount variables in place of Ingres's iierrornumber and iirowcount. I replaced the ingres names with the oracle names, and now am wondering how how oracle uses the

  • Trouble with adding subscriber

    Have a subscriber server with 4.0(1) disks. These are the disks that I orignally built the publisher. I have since upgraded the publisher to 4.1.3sr3. When I went to install CCM Su from the disks that I have, it gives error 1603 and says something ab

  • What do i do to stop my safari quitting unexpectedly?

    my safari keeps quitting with a 'while using cleanseuninstallerpro.tmp' error message.  please help.