The failed-authentication alarm is raised when a component in the Curity Identity Server fails to authenticate against a remote host. This could be against a data source such as MySQL or LDAP, or an HTTP Service such as BankID or Duo.
The reason for this alarm can be a faulty configuration in the Curity Identity Server or faulty configuration at the remote host. Credentials may have expired or changed since the configuration was made.
The severity is at least minor since parts of the system are already affected.
Immediate action is required. The remote resource cannot be accessed. Immediate action is required if the state of this alarm is raised.
Fig. 6 Failed to authenticate against remote service
This alarm can be raised by two types of components in the Curity Identity Server.
Data Sources will raise this alarm if authentication fails against the remote host. However some data sources rely on HTTP clients for connections, such as the Scim and Json data sources. These will not raise this alarm, but will instead be listed as impacted resources when the HTTP client raises the alarm.
This alarm is disabled by default for HTTP clients, but when enabled HTTP clients will raise this alarm when a the remote host responds with a 401 that cannot be handled by the configured HTTP client.
This alarm is raised when the Curity Identity Server fails to authenticate against the remote host using the configured credentials.
This alarm is cleared the next time the authentication is successful.
It is possible to enable the failed authentication alarm for HTTP clients. This can be useful when the 401 response is not part of the expected responses from the HTTP server.
To enable the failed authentication alarm using the CLI do:
set facilities http client YOUR_HTTP_CLIENT_ID client-alarms enable-failed-authentication-alarm true