000012391 - aservers occasionally are unable to decrypt tokens from other aservers.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000012391
Applies ToAccess Manager 6.0.4
Issueaservers occasionally are unable to decrypt tokens from other aservers.
IWA authentication method loops continually without sending authenticated user to protected page.

aserver logs show the following error message directly associated with each IWA authentication failure:

sequence_number=5943,remote_client=aserver1,2009-02-03 15:59:52:344 GMT+00:00,messageID=6,client_ip_address=,client_port=38547,result_code=0,result_action=User Token Failed,result_reason=Token error

CauseThis problem may occur if one of the keyservers is unable to communicate all its keys with other keyservers in the keyserver list.  In this instance the customers cleartrust.keyserver.local_id parameter referred incorrectly to a keyserver on a second physical machine that already had a keyserver.

Check to ensure that there are no typos in the keyserver.conf files.  Specifically check to ensure that each keyserver has a unique name defined for


and that host name defined in the parameter refers to the physical machine where the keyserver resides.

WorkaroundNew installation and configuration problem is suspected.
NotesThe presence of Token errors in the log file does not necessarily indicate a problem.   Only in new installations where a configuration error is suspected are Token errors usually significant.
Legacy Article IDa44484