000022510 - User with no UPN is authenticated to RSA ClearTrust  but not to Microsoft Windows

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022510
Applies To
RSA ClearTrust Agent 4.6 for Microsoft Internet Information Services (IIS)

Microsoft Internet Information Server (IIS) 6.0
Microsoft Windows Server 2003
IssueUser with no UPN is authenticated to RSA ClearTrust, but not to Microsoft Windows
If RSA ClearTrust is configured for Password Replay or Protocol Transition but the user record has a null value for the user attribute defined as the UPN mapping parameter, then the user can receive a ClearTrust authentication token, but the Microsoft Windows Authentication will fail. In this instance, a ClearTrust authenticated user would be unable to access resources protected by Windows Access Control List (ACL's).
CauseThis behavior is by design. The absence of a UPN value was considered an indication that no Microsoft Windows Authentication should be attempted for this user. By request, this behavior is now configurable.
ResolutionThis issue has been resolved in a hot fix for RSA ClearTrust Agent 4.6 for Microsoft Internet Information Services (IIS) 6.0. Contact RSA Security Customer Support to obtain hot fix 4.6.0.86, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels).

In addition to applying the latest hot fix the following new webagent.conf parameter must be added and set:

    # A boolean value that indicates whether or not IIS Agent, if enabled to use
    # either protocol transition or password replay, should fail a user to SSO into
    # Windows application, if user UPN is not set or is empty.
    #
    # Allowed Values:
    #   True     Fail the user.
    #   False    Allow to proceed as if SSO into Windows is not enabled.
    #
    # Default Value:
    #   False
    #
    # Dependencies:
    #   This parameter is effective only if user UPN is not set or is empty, and
    #   if IIS Agent is enabled to use either protocol transition or password
    #   replay to SSO into Microsoft application.
    #
    cleartrust.agent.iis.fail_unset_upn=True
Legacy Article IDa28962

Attachments

    Outcomes