Bug ID 689147: Confusing log messages on certain user/role/partition misconfiguration when using remote role groups

Last Modified: Apr 24, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 15.1.9,, 15.1.10,,,, 16.1.0, 16.1.1, 16.1.2,,, 16.1.3,,,,,, 16.1.4,,,

Opened: Oct 17, 2017

Severity: 4-Minor


When using remote role groups to set user/role/partition information, user login fails, but logs in /var/log/secure indicate that authentication was successful. Errors similar to the following appear in /var/log/ltm: -- User restriction error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition. -- Input error: invalid remote user credentials, partition does not exist, broken-partition Errors similar to the following appear in /var/log/secure: tac_authen_pap_read: invalid reply content, incorrect key?


The messages in /var/log/secure may be confusing and make it more difficult to diagnose the login failure.


Using remote role groups to set user/role/partition information for remote users, and either of the following: -- A remote user is configured with the role of administrator, resource administrator, auditor, or web application security administrator, with access to a particular partition, rather than all. (These roles require access to all partitions.) -- A remote user is configured with partition access set to a partition that does not exist on the BIG-IP system.


Check /var/log/ltm for more specific error messages.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips