RSA ClearTrust Agent 4.6 for Microsoft Internet Information Services (IIS)
Microsoft Internet Information Server (IIS) 6.0
Microsoft Windows Server 2003
|Issue||User with no UPN is authenticated to RSA ClearTrust, but not to Microsoft Windows|
If RSA ClearTrust is configured for Password Replay or Protocol Transition but the user record has a null value for the user attribute defined as the UPN mapping parameter, then the user can receive a ClearTrust authentication token, but the Microsoft Windows Authentication will fail. In this instance, a ClearTrust authenticated user would be unable to access resources protected by Windows Access Control List (ACL's).
|Cause||This behavior is by design. The absence of a UPN value was considered an indication that no Microsoft Windows Authentication should be attempted for this user. By request, this behavior is now configurable.|
|Resolution||This issue has been resolved in a hot fix for RSA ClearTrust Agent 4.6 for Microsoft Internet Information Services (IIS) 6.0. Contact RSA Security Customer Support to obtain hot fix 18.104.22.168, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels).|
In addition to applying the latest hot fix the following new webagent.conf parameter must be added and set:
# A boolean value that indicates whether or not IIS Agent, if enabled to use
# either protocol transition or password replay, should fail a user to SSO into
# Windows application, if user UPN is not set or is empty.
# Allowed Values:
# True Fail the user.
# False Allow to proceed as if SSO into Windows is not enabled.
# Default Value:
# This parameter is effective only if user UPN is not set or is empty, and
# if IIS Agent is enabled to use either protocol transition or password
# replay to SSO into Microsoft application.
|Legacy Article ID||a28962|