000012272 - Intermittent failure of AA to post challenge questions.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000012272
Applies ToRSA Access Manager 4.9 Agent for IIS 7.0
RSA Access Manager 6.1.3 (SP3)
IssueIntermittent failure of AA to post challenge questions.
The ct_challenge.jsp page is intercepting the HTTP_AAQUESTIONCOUNT server variable but it has no value. This causes the challenge page to redirect the user to the logon page. 
Agent log file in debug mode shows an invalid challenge credential instead of a result "Challenge credential: QUESTION"

2013-03-09 09:10:56 -0600 - [2392740192] - <Debug> - Invalid challenge credential.

Agent displays the ct_logon.jsp page instead of the ct_challenge.jsp page
The http header is missing the request variable

The aserver debug output reports a value for SC_AA_RISK_SCORE=QUESTION, when risk score should be a string representation of an integer.
207 aserverb: 2013/03/09 09:10:56:863 [*] [MuxWorker-11 (sirrus.authserver.TCPServerAPIAdaptor.getTokenValues)] - TCPServerAPIAdaptor.getTokenValues( AAAAAgABAKDlYtCCmUU0l25rWo3OnJDQM6dZAzJ819Rnz9O2kCapBAH3Am69xRA7ZKtb8wIM4iTo5Wcw+1fkz2d4OOoc/QcgX74TO+t1zzRngaOHU0g9OJCNGyUtwWqN3g4F+4QLalJRN4JFRUSayItX7SkbNL5LVUqYQKNebCNoRdHuotCKtJILz5sBJvql2CL8Xzz8yOF4lLrsOiJvUFo7T/QwL5fe, {CLIENT_IP=, CLIENT_PORT=58856, CLIENT_VERSION=11, tokens=true, groups=false, props=false} ) returning {SC_CUSTOM_DATA= , SC_IS_VALID=true, SC_AA_REQD_CREDENTIAL=, SC_USER_ID=user, SC_NT_PASSWORD=, SC_AA_PHONE_TOKEN=, SC_CLIENT_IP=, SC_SECURID_PROVIDED_PIN=, SC_NT_DOMAIN=, SC_CREATION_TIME=1362841855000, SC_SECURID_STATUS=0, SC_END_USER_IP=, SC_AA_SESSION_ID=-4b724558:13d4fafcb3a:-7ff1, SC_AA_STATE=AA_CHALLENGE, SC_TOUCH_TIME=1362841855000, SC_IMPERSONATED_ID=, SC_AUTH_STATE=, SC_BASIC=true, SC_AA_BIND_DEVICE=false, SC_AA_RISK_SCORE=QUESTION, SC_AA_TRANSACTION_ID=TRX_-4b724558:13d4fafcb3a:-7ff0}
CauseThis problem occurs intermittently and occurs more frequently with multiple aservers.  The RSA Access Manger servers themselves are stateless and to allow for load balancing across multiple servers state information about the user is maintained in a token that is encrypted in the CTSESSION cookie.   The token contains various AA status variables that are used to determine if the user needs to be challenged and how.   There are two independent program flows that handle retrieving token information depending on if the token is in cache already or not.  If the token is already in cache then the AA state information is taken from a copy of the token from cache and there is no issue.  In instances where the token is not in cache the token must be decrypted and the information in the token must be parsed.  An error in the way the AA variables are stored in the token prevents the question count from being retrieved correctly if the token is not in cache.
ResolutionThis issue has been resolved in hotfix for RSA Access Manager 6.1.3 (SP3) or in RSA Access Manager 6.1.4 (SP4).  Contact RSA Customer Support and request this hotfix or the latest cumulative hotfix for your platform.   This issue is not present in RSA Access Manager 6.1.4 (SP4).  
Also see a61890   "RSA Access Manger CERTIFICATE authentication does not work after idle timeout."
WorkaroundUpgraded to SP3
Legacy Article IDa60912