Failed Authentication

ID failed-authentication
Type external-service
Minimum Severity minor
Node Specific yes

The failed-authentication alarm is raised when a component in the Curity Identity Server fails to authenticate against a remote host. This could be against a data source such as MySQL or LDAP, or an HTTP Service such as BankID or Duo.

The reason for this alarm can be a faulty configuration in the Curity Identity Server or faulty configuration at the remote host. Credentials may have expired or changed since the configuration was made.

The severity is at least minor since parts of the system are already affected.


Immediate action is required. The remote resource cannot be accessed. Immediate action is required if the state of this alarm is raised.


Fig. 6 Failed to authenticate against remote service

Alarming Resources

This alarm can be raised by two types of components in the Curity Identity Server.

  • Data Sources
  • HTTP Clients

Data Sources

Data Sources will raise this alarm if authentication fails against the remote host. However some data sources rely on HTTP clients for connections, such as the Scim and Json data sources. These will not raise this alarm, but will instead be listed as impacted resources when the HTTP client raises the alarm.

HTTP Clients

This alarm is disabled by default for HTTP clients, but when enabled HTTP clients will raise this alarm when a the remote host responds with a 401 that cannot be handled by the configured HTTP client.

Raising Conditions

This alarm is raised when the Curity Identity Server fails to authenticate against the remote host using the configured credentials.

Clearing Conditions

This alarm is cleared the next time the authentication is successful.

Suggested Actions

  • Verify that the account used exists on the remote service, and isn’t locked.
  • Inspect the logs of the remote host, or contact support of the service provider.
  • Inspect the logs of the affected Curity Identity Server runtime node at the time of this alarm.
  • Verify the configured credentials for this resource.

Configuration Options

HTTP Clients

It is possible to enable the failed authentication alarm for HTTP clients. This can be useful when the 401 response is not part of the expected responses from the HTTP server.

To enable the failed authentication alarm using the CLI do:

set facilities http client YOUR_HTTP_CLIENT_ID client-alarms enable-failed-authentication-alarm true