000014470 - AxM 4.8 Agent: Authenticated users are unexpectedly directed to the logon page.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014470
Applies ToRSA Access Manager Agent 4.8 for IIS 6.0
IssueAxM 4.8 Agent: Authenticated users are unexpectedly directed to the logon page.

The ct_agent.log files shows the following:

2009-04-28 15:34:00 +0100 - [4736] - <Security> - Token IP and client IP address do not match?

CauseWith cookie ip check enabled, the agent will reject any authorization using a token that was issued on a different IP address of the authenticated user.  Users presenting session tokens that do not meet this criteria will not be authorized and will be sent to the logon page.   The intent of this setting is specifically to prevent users from using an intermediary, such as a proxy, to do IP spoofing.   Users behind proxies will be unable to authenticate unless the AxM agent is specifically configured to allow the proxies to forward the client IP information.  For additional information, visit the webagent.conf file settings cleartrust.agent.trusted_proxy_header_name, cleartrust.agent.trusted_proxy_list, and cleartrust.agent.trusted_proxy_strict_mode
ResolutionCheck the value of the webagent.conf file setting for cleartrust.agent.cookie_ip_check.  Cookie IP checking should only be enabled if it is known that the proxy server(s) will not exist between the client browser and the web agent. 

Other agent errors can also result in the user being sent to the logon screen.  For example, the idle timeout and session timeout values can have an effect on being directed to the logon page.  Note that these messages are all at the <Security> log level, and will not display at the <Critical> level (which is the default level of logging).   These agent level errors will log to the aserver log files, for example:

2009-04-28 15:34:00 +0100 - [4736] - <Security> - User user1 has an expired session

Legacy Article IDa45787