000014819 - User redirected to logon page with Outlook Web Access integration

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014819
Applies ToClearTrust Authorization Server 6.0
Win 2003 Server
Microsoft Exchange 2003
Outlook Web Access (OWA)
Outlook Web Access is configured with a Front-End (FE) and Back-End (BE) server.  The ClearTrust Agent is installed on both servers.
IssueUser redirected to logon page with Outlook Web Access integration

Error message in agent.log file on back end (BE) servers agent.

?<Security> - Token IP and client IP address do not match?. 


Error message in agent.log file on back end (BE) servers agent.

<Debug> - Status is 2 (CT_AUTH_BAD_PASSWORD)

CauseWhen OWA is configured with a separate FE and BE server the FE server acts as a proxy server to the BE server.  ClearTrust by default checks the contents of the CTSESSION cookie and compares the IP address used by the client to logon to the ip address of the http request to determine if a spoofing attempt is being attempted. If the ip addresses do not match the cookie is rejected.   If the web agent is behind a proxy server the ip address of the proxy server is used instead of the clients browser and this will cause all cookies to be rejected by the server behind the proxy.
Resolution

Disable the IP checking feature on the BE server by setting the following webagent.conf file setting on the BE server agent.

cleartrust.agent.cookie_ip_check=False

This is sufficient if the BE server is not accessible by clients (default).  If users can hit the backend server directly, you may want to keep the ip check enabled, and setup more granular control as per the documentation in the webagent.conf file for this setting.

Legacy Article IDa41329

Attachments

    Outcomes