search cancel

AZF2227I User 'acid' Denied Access In-Band By Factor AZFCKCTC With Top Secret

book

Article ID: 244111

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

IBM's MFA is successfully running on the source system using policy pppppppp.  When attempting to use Check CTC on the destination (to share a token generated on the source system and use that token on the destination system), the following error occurs (on the destination system):

TSS7065E Unable to validate signon credentials at this time      

The Top Secret OMVS report showed this:

R_auditx         acid    group           0           0   0      0      0
06/13/22  22.164   15.17.40 MFA                        destsys
Successful - Log record written
                         FMID: xxxxxxx   Subtype:        7
 Attribute: Authentication
 Event Result: Failure    Reason for log: Logging failures
 Event ID:        1    Qualifier:        8
 Compnt: 5655MFA01 - IBM Multi-Factor Authentication for z/OS
 LOGSTR: AZF2227I User 'acid' denied access in-band by factor AZFCKCTC
 Relocate data:      100 acid
                     101 AZFCKCTC
                     104 acid
                     107 6

Environment

Release : 16.0

Component : Top Secret for z/OS

Resolution

The 'acid' having the problem had the following:

1) MFA data on the destination system:

-----------  SEGMENT MFPOLICY
MFPOLICY   = pppppp
-----------  SEGMENT MFA
FACTOR     = ffffff
MFACTIVE   = NO
TAGS       = REGSTATE:OPEN
FACTOR     = AZFCKCTC
MFACTIVE   = YES
TAGS       = ALTUSERID:acid

The MFACTOR(ffffff) needed to be removed:

     TSS REMOVE(acid) MFACTOR(AZFCERT1) TARGET(=) 

On the source system, the acid having the problem had the following MFA data:

-----------  SEGMENT MFPOLICY
MFPOLICY   = pppppp
-----------  SEGMENT MFA
FACTOR     = ffffff
MFACTIVE   = NO
TAGS       = REGSTATE:OPEN
FACTOR     = AZFCKCTC
MFACTIVE   = YES
TAGS       = ALTUSERID:acid

The MFACTOR(AZFCKCTC) needed to be removed:

     TSS REMOVE(acid) MFACTOR(AZFCKCTC) TARGET(=) 

NOTE: TARGET(=) is needed for sites using CPF so the command does not propagate to other systems. 

2) The acid also needed new certificates loaded on the PIV card. Then the MFA connection worked on the source system and CTC worked on the destination system.