IBM Security Verify

 View Only
Expand all | Collapse all

Unable to Login using AAC Advanced Authentication Mechanism

  • 1.  Unable to Login using AAC Advanced Authentication Mechanism

    Posted Tue November 07, 2023 10:27 AM
    Hi, I am following the guide at https://www.securitylearningacademy.com/mod/resource/view.php?id=31347 and trying to complete step 8.5.1. But when I access the URL https://www.iamlab.ibm.com/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:password_eula I get the following error:

    User error
    FBTAUT003E Authentication service receives invalid policy ID [urn:ibm:security:authentication:asf:password_eula]. Ensure that the policy with the specified ID exist. Please re-access the protected resource.
    /sps/authsvc
    2023-11-07T15:18:06Z

    Error details

    Stack trace
    Could you please confirm what I might have missed in configuration or misconfigured?
    Thanks!


    ------------------------------
    Narayan Verma
    ------------------------------


  • 2.  RE: Unable to Login using AAC Advanced Authentication Mechanism

    Posted Tue November 07, 2023 12:07 PM

    Hello Narayan,

    At later versions of the ISVA firmware the default authentication policies are disabled by default.

    Please navigate to 'AAC -> Policy -> Authentication' and filter for 'End', select the End User License Agreement authentication policy and after that use the 'Enable' button to enable that policy.

    This should resolve your issue.



    ------------------------------
    JACK YARBOROUGH
    ------------------------------



  • 3.  RE: Unable to Login using AAC Advanced Authentication Mechanism

    Posted Tue November 07, 2023 01:12 PM

    Thank you Jack, I tried this but it didn't work for me.  I'll try it with a fresh configuration as well.






  • 4.  RE: Unable to Login using AAC Advanced Authentication Mechanism

    Posted Tue November 07, 2023 07:12 PM

    Hello Narayan,

    We actually just helped another administrator with this via a support case.

    In the latest versions of ISVA the AAC  component has the Advanced Configuration property 'sps.authService.policyKickoffMethod' set to 'path' by default to enhance security posture.

    You should be able to call the policy using a URL like: https://<rp>/mga/sps/authsvc/policy/password_eula

    This allows for ACLs to be attached to the specific policies and is the strategic way forward to call AAC policies directly at the authentication service.

    If you want to follow the cookbook exactly then you can change the value of 'sps.authService.policyKickoffMethod' to 'query' or preferably 'both'.

    For production environments it's recommended to use the value of 'path'.

    This should resolve your issue.



    ------------------------------
    JACK YARBOROUGH
    ------------------------------



  • 5.  RE: Unable to Login using AAC Advanced Authentication Mechanism

    Posted Wed November 08, 2023 01:38 PM

    sps.authService.policyKickoffMethod was already set to query... anyway I set it to both...but the error still persists.

     

    Also, accessing https://www.iamlab.ibm.com/mga/sps/authsvc/policy/password_eula gives a similar error:

     

    User error

    FBTAUT003E Authentication service receives invalid policy ID [urn:ibm:security:authentication:asf:password_eula]. Ensure that the policy with the specified ID exist. Please re-access the protected resource.

    /sps/authsvc/policy/password_eula

    2023-11-08T18:34:44Z

     

    Error details

     

    Stack trace

     






  • 6.  RE: Unable to Login using AAC Advanced Authentication Mechanism

    Posted Tue November 21, 2023 11:07 AM

    Hi team, any update on this? I think this is a critical test of verifying if AAC module is working correctly or not and I am not able to complete it.  please help.



    ------------------------------
    Narayan Verma
    ------------------------------



  • 7.  RE: Unable to Login using AAC Advanced Authentication Mechanism

    Posted Wed November 22, 2023 01:47 AM

    Open a support case if you want formal support. The community discussion forum is volunteer-based, with no SLA, and particularly with US thanksgiving on this week volunteers will be thin on the ground. FWIW this seems very much like a configuration problem or page template update issue (if the machine is an upgrade vs fresh install) rather than a product issue.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------



  • 8.  RE: Unable to Login using AAC Advanced Authentication Mechanism

    Posted Thu December 07, 2023 10:32 AM

    Hi Everyone,

    Following same cookbok as Narayan and experiencing exactly  same FBTAUT003E error.

    Suggested fixes make no difference,

    Would be nice if someone could update the cookbook.

    Only difference is with  https://www.iamlab.ibm.com/mga/sps/authsvc/policy/password_eula I am getting:

    FBTAUT001E The request does not contain any of the these required parameters [TransactionId PolicyId StateId]. Please re-access the protected resource.

    /sps/authsvc/policy/password_eula



    ------------------------------
    paul molenda
    ------------------------------



  • 9.  RE: Unable to Login using AAC Advanced Authentication Mechanism

    Posted Thu December 07, 2023 01:33 PM

    For now try setting advanced configuration parameters sps.auto service.policyKickoffMethod to "both". 



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------