|Applies To||ClearTrust Web Agent IIS V4.6 Agent|
|Issue||Cleartrust 4.6 Agent for IIS: Does the agent validate tokens when processing a request for an excluded resource?|
When a resource is excluded by the agent, by: listing it as an excluded URL or extension; by using the rules.xml file; the agent log still shows the agent contacting the authorization server and validating the token if a CTSESSION cookie is present.
|Cause||The order in which the agent processes requests puts token validation before any attempts to check the status of the requested resource. When the agent gets to the phase of checking resource status, it first checks the resource against rules in the rules.xml file, followed by attempting to match the requested resource against the URL exclusion list and the extension exclusion list.|
|Resolution||This behavior is correct and noted as 'functions as designed'.|
|Legacy Article ID||a33877|