Unable to login to vscode Endevor explore after enable MFA/passticket in ENDEVOR
search cancel

Unable to login to vscode Endevor explore after enable MFA/passticket in ENDEVOR

book

Article ID: 401053

calendar_today

Updated On:

Products

Endevor

Issue/Introduction

Follow Endevor document to Set Up PassTicket Authentication or MFA Support

Able to generate passticket using the Endevor rest API /auth call. 

IBM MFA is used for mainframe authentication at site. 

When login to explore for Endevor in vscode using username and 15 plus characters passphrase, got following error in vscode explorer for Endevor log: 

2025-06-02T18:46:16.356Z - Setup Endevor session: https:/host:port/EndevorService/api/v2, rejectUnauthorized: true, type: bearer
2025-06-02T18:46:17.098Z - Endevor credentials are incorrect.
2025-06-02T18:46:17.098Z - [XXXX/XXXX] Unable to fetch environment stages information because of error:
EWS1117I Request processed by SysID XXX, STC XXXX - STC09275
API0034S INVALID USERID OR PASSWORD DETECTED.


Endevor STC log shows:
 ENSRVRAC: PWBS RACROUTE FAILED, PASSWORD INCORRECT
 BC1PAPI 20,034 @ROUT USERID SWAP FAILED RC=00012 USERID=XXXX
 BC1PAPI - API HALTED BECAUSE RC=00020 ENCOUNTERED
 ENSRVRAC: PWBS RACROUTE FAILED, PASSWORD INCORRECT

 

IBM MFA STC shows:
STCMAIN:MFAA Version=4, MFAA Length=296, Application=XXXMFA , STC UserID=XXXX
STCMAIN:Derived Name=        , Session Type=0                                  
STCMAIN:Password length=8, New password length=0, Claim=N/A                    
PLUGHOST:phWEH starting new authTxn for factor AZFRADP1 with flags 0x2         
PLUGHOST:authStateTransition mfaAuthTxn START (2B349218)                       
PLUGHOST:routeAuthResponseWork forcing FACTORS_NOTVALID after compound parse err
STCMAIN:AZF2227I User XXXX denied access in-band by factor AZFRADP1          
STCMAIN:PC return code=0x8, reason code=0x0, abend code=0x0       

Environment

Endevor V19

Endevor exploer vscode extension

Cause

By default, Endevor explore is using passticket for Endevor connection authentication. 

The IBM STC log shows FACTORS_NOTVALID -  which indicating IBM MFA is not configured to recognize the passticket as a valid alternative to the existing factors, IBM MFA can't validate the passticket generated by Endevor REST API (passticket is only 8 characters long - wrapped in a long bearer token).

 

Resolution

Here is the documentation which describes how Endevor passticket auth must be configured when it's used with MFA:

4.(Optional) If you are permitted to access the mainframe only through IBM Multi-Factor Authentication, IBM MFA needs to be configured to recognize the PassTicket as a valid alternative to the existing factors. For more information, see the "Using IBM MFA with PassTickets" topic in the IBM Z Multi-Factor Authentication documentation.

 
Follow IBM Z Multi-Factor Authentication document to enable passticket factor, seek help from IBM if it's needed.  
Powered by Wolken Software