Bug ID 689147: Confusing log messages on certain user/role/partition misconfiguration when using remote role groups

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,

Opened: Oct 17, 2017
Severity: 4-Minor


When using remote role groups to set user/role/partition information, user login fails, but logs in /var/log/secure indicate that authentication was successful. Errors similar to the following appear in /var/log/ltm: -- User restriction error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition. -- Input error: invalid remote user credentials, partition does not exist, broken-partition Errors similar to the following appear in /var/log/secure: tac_authen_pap_read: invalid reply content, incorrect key?


The messages in /var/log/secure may be confusing and make it more difficult to diagnose the login failure.


Using remote role groups to set user/role/partition information for remote users, and either of the following: -- A remote user is configured with the role of administrator, resource administrator, auditor, or web application security administrator, with access to a particular partition, rather than all. (These roles require access to all partitions.) -- A remote user is configured with partition access set to a partition that does not exist on the BIG-IP system.


Check /var/log/ltm for more specific error messages.

Fix Information


Behavior Change