AZF2227I User 'acid' Denied Access In-Band By Factor AZFCKCTC With Top Secret
Article ID: 244111
Updated On:
Products
Issue/Introduction
IBM's MFA is successfully running on the source system using policy pppppppp. When attempting to use Check CTC on the destination (to share a token generated on the source system and use that token on the destination system), the following error occurs (on the destination system):
TSS7065E Unable to validate signon credentials at this time
The Top Secret OMVS report showed this:
R_auditx acid group 0 0 0 0 0
06/13/22 22.164 15.17.40 MFA destsys
Successful - Log record written
FMID: xxxxxxx Subtype: 7
Attribute: Authentication
Event Result: Failure Reason for log: Logging failures
Event ID: 1 Qualifier: 8
Compnt: 5655MFA01 - IBM Multi-Factor Authentication for z/OS
LOGSTR: AZF2227I User 'acid' denied access in-band by factor AZFCKCTC
Relocate data: 100 acid
101 AZFCKCTC
104 acid
107 6
Environment
Release : 16.0
Component : Top Secret for z/OS
Resolution
The 'acid' having the problem had the following:
1) MFA data on the destination system:
----------- SEGMENT MFPOLICY
MFPOLICY = pppppp
----------- SEGMENT MFA
FACTOR = ffffff
MFACTIVE = NO
TAGS = REGSTATE:OPEN
FACTOR = AZFCKCTC
MFACTIVE = YES
TAGS = ALTUSERID:acid
The MFACTOR(ffffff) needed to be removed:
TSS REMOVE(acid) MFACTOR(ffffff) TARGET(=)
On the source system, the acid having the problem had the following MFA data:
----------- SEGMENT MFPOLICY
MFPOLICY = pppppp
----------- SEGMENT MFA
FACTOR = ffffff
MFACTIVE = NO
TAGS = REGSTATE:OPEN
FACTOR = AZFCKCTC
MFACTIVE = YES
TAGS = ALTUSERID:acid
The MFACTOR(AZFCKCTC) needed to be removed:
TSS REMOVE(acid) MFACTOR(AZFCKCTC) TARGET(=)
NOTE: TARGET(=) is needed for sites using CPF so the command does not propagate to other systems.
2) The acid also needed new certificates loaded on the PIV card. Then the MFA connection worked on the source system and CTC worked on the destination system.
Feedback
