Setup Guide
Table Of Contents
- 1 Introduction
- 2 iDRAC9 Configuration for RSA SecurID
- 3 RSA SecurID 2FA with Local Users
- 4 RSA SecurID 2FA with Active Directory Users
- 5 RSA SecurID 2FA with Generic LDAP Directory Users
- 6 Troubleshooting RSA SecurID Issues
- 6.1 Misconfiguration or iDRAC Configuration Gets Reset
- 6.2 Datacenter License Expires or Gets Downgraded or Deleted
- 6.3 Authentication Failures without being Prompted for RSA Passcode
- 6.4 Authentication failures with Correct RSA Passcode
- 6.5 Authentication Failures with Correct RSA Passcode due to Timeout
- 6.6 RSA Configuration gets lost after importing Server Configuration Profile
- Appendix A: Configure iDRAC Using RACADM
- Appendix B: References
Troubleshooting RSA SecurID Issues
ID 450
6 Troubleshooting RSA SecurID Issues
When a user with RSA SecurID enabled fails to authenticate, the problem may be in iDRAC or the RSA AM
server.
6.1 Misconfiguration or iDRAC Configuration Gets Reset
First, check the Lifecycle Logs in the iDRAC to see if there are Lifecycle Logs to indicate any problems with
the RSA 2FA configuration. There can be issues even if all the global settings are set correctly or the RSA AM
certificate chain has uploaded.
You can test the connection to RSA AM server configured from UI, see Test Connection to RSA AM Server
section to see how you can run the test. iDRAC detects and reports issues below to help you troubleshoot the
issue. Test Connection to RSA AM server may return one of the following codes.
RAC0520: A test connection to the RSA SecurID Server was successful.
RAC0521: Unable to connect to the RSA SecurID Server because either invalid RSA SecurID Server
settings are entered, or invalid RSA server certificate is uploaded.
RAC0522: Unable to connect to any RSA SecurID Server because either RSA server certificate is not
uploaded to iDRAC or something wrong with the uploaded certificate.
RAC0525: Unable to resolve the hostname of RSA SecurID Server. Ensure DNS servers that are
configured and work properly.
RAC0526: Unable to make connection to RSA SecurID Server. Ensure that the server configuration is
right and the server is up and running, also check if there are any connectivity issues.
RAC0527: Failed to get response from RSA SecurID Server, ensure that the server is working properly
and try again.
Next, you must ensure that:
• The users are configured to be RSA 2FA enabled, and the local user is RSA 2FA enabled
.
• or AD users are RSA 2FA enabled,
• or LDAP users are configured with RSA 2FA enabled in previous chapter.
You may also check if the iDRAC has been reset to factory default (without preserving user and network
settings). If so, you must re-configure RSA 2FA on this iDRAC system depicted in Chapter 2
and enable RSA
SecurID 2FA on the desired local users, AD users, or LDAP users.
6.2 Datacenter License Expires or Gets Downgraded or Deleted
If an iDRAC Datacenter License is no longer active, all users who are configured with RSA SecurID cannot
log in to the system. Disable RSA SecurID in iDRAC if the system does not have a valid iDRAC Datacenter
license.