000024214 - Applications that authenticate using HTTP authentication do not set Microsoft Windows Token with Protocal Transition and Password Replay in RSA ClearTrust

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000024214
Applies ToRSA ClearTrust Agent 4.6 for Microsoft Internet Information Services (IIS) 6.0
Microsoft Internet Information Server (IIS) 6.0
Microsoft Windows 2000 Professional SP4
Password Replay
Protocol Transition
ctagent.log file shows the following:

1124679643.718:[4004/5096]:<Info>:[GetExtensionVersion]:Domain name: NOZ
1124679643.718:[4004/5096]:<Info>:[GetExtensionVersion]:WildCard map extension loaded
1124679643.718:[4004/5096]:<Debug>:[HttpExtensionProc]:Got uri: /test/
1124679643.718:[4004/5096]:<Critical>:[HttpExtensionProc]:Failed to get HTTP_CT_TOKEN_REQUEST
IssueApplications that authenticate using HTTP authentication do not set Microsoft Windows Token with Protocol Transition and Password Replay in RSA ClearTrust Agent 4.6 for Microsoft Internet Information Services (IIS) 6.0
Protocol Transition fails with a 401.3  error page.
CauseThis occurred because the calls to obtain the Microsoft Windows Token occurred prior to the interception of the HTTP authentication headers
ResolutionThis issue has been resolved in a hot fix for RSA ClearTrust Agent 4.6 for Microsoft Internet Information Services (IIS) 6.0. Contact RSA Security Customer Support to obtain hot fix 4.6.0.72, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels).

NOTE: For HTTP authentication to function correctly, the ClearTrust Agent must be configured with clearturst.agent.ignore_http_auth=FALSE and cleartrust.agent.iis.preproc_auth_enabled=TRUE
NotesNote:  This hotfix has been superseded by hotfix 4.6.0.76.  (see solution RSA ClearTrust Agent 4.6 for Microsoft Internet Information Services (IIS) hot fix 4.6.0.72 breaks Protocol Transition with Preproc DISABLED).  Please do not use this hotfix version, instead request the latest hotfix version from RSA Support.
Note:  This solution is not applicable to older revisions.  Please update your agent to the latest hotfix.  In later hotfixes there is no longer a dependency on the preproc_auth_enabled setting.
Legacy Article IDa27774

Attachments

    Outcomes