000021468 - 401 Web server message when attempting password replay (Windows domain SSO) in RSA ClearTrust

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021468
Applies ToRSA ClearTrust Agent 4.5 for Microsoft IIS
RSA ClearTrust 5.5.2
Microsoft Windows Server 2003
Microsoft Active Directory
Password Replay
Single Sign-On (SSO) into a Windows domain
Issue401 Web server message when attempting password replay (Windows domain SSO) in RSA ClearTrust
When a user authenticates to a password replay site, they are able to logon, but then are presented with a windows authentication prompt in response to the server 401 message. The logon dialog box is presented 3 times, then they are taken back to the logon page. If the user tries to access another page that does not require password replay, they are able to get in.
The webagent.log file shows the following error:

Sep 24, 2004 6:10:15 PM CDT - [3356] - <Debug> - exception_type=SERVER_ERROR, msg=(sirrus.util.io.rpc.NoSuchMappingException: No mapping for node id getUserMapping
CausePassword replay relies on the capabilities of the ClearTrust authentication server for UPN mapping. Even if the Agent version supports password replay, you must ensure the back end server version also supports this functionality.
ResolutionTo correct this issue, ensure the ldap.conf file has the correct information for UPN mapping in the cleartrust.data.ldap.user.attributemap.windowsupn parameter. Also ensure that the ClearTrust server has hot fix 5.5.2 or later applied.
Legacy Article IDa23202