000015732 - Authentication screen loops/no re-direct when IP address is used instead of FQDN in URL

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015732
Applies ToClearTrust Servers 5.5.3
Access Manager 6.0.x
Access Manager agent 4.7
Microsoft Internet Information Serivces (IIS) 5
Apache 2.0.52
IssueWhen using form-based authentication, if the IP address is in the URL instead of the FQDN, the authentication screen loops (no ACTSESSION or CTSESSION cookie) even though you have authenticated successfully.
You may experience the message "Successful authentication. Use your browser to access the requested resource"
Using the FQDN in the URL works (where the URL is retained and re-direct occurs successfully after authentication).
Resolution

The looping is essentially because SSO relies on a DNS name, otherwise the browser cannot send it back to the server. One way to get round this symptom is to define a VirtualHost block within the webagent.conf (located by default in 'C:\Program Files\RSA\Access Manager Agent 4.7\IIS\conf' on IIS or '/opt/agent/agent-apache2-46/conf' for Apache), citing the IP address of the system.  As well within that VirtualHost directive, remove the cookie domain information.

Here is an example in webagent.conf, where the webserver FQDN is astrachan04.csuk.eu.rsa.net and the IP address is 10.148.129.224:

<VirtualHost address=10.148.129.224 name=* port=*>
cleartrust.agent.cookie_domain=
cleartrust.agent.sso=True
cleartrust.agent.web_server_name=astrachan04
</VirtualHost>

Note the absense of the the domain name in the cleartrust.agent.cookie_domain parameter.

Legacy Article IDa38592

Attachments

    Outcomes