000016550 - Access Manager CERTIFICATE authentication fails to re-authenticate after token decryption failed message

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000016550
Applies ToRSA Access Manager 4.9 Agents (all service packs)
RSA Access Manager 5.0 Agents
Issue Access Manager CERTIFICATE authentication fails to re-authenticate after token decryption failed message
When the user makes a request for a protected page after a prolonged period of idle time they are redirected to the ct_access_denied_en.html page.
The Agent log shows the following error a <Critical> level (or lower)
2013-08-27 10:04:07 -0700 - [1560] - <Critical> - Critical error: CT_AUTH_UNKNOWN_ERROR

The agent log shows the following additional error at <Debug> log level.
2013-08-27 10:04:07 -0700 - [1560] - <Info> - Result map: EXCEPTION_MESSAGE\nToken decryption failed
or
2013-08-21 15:38:01 -0700 - [1560] - <Info> - Result map: EXCEPTION_MESSAGE\nException during cookie processing. Found the token in bad token cache.

The aserver.out file with DDEBUG enabled shows the following event:
09:40:47:756 [*] [MuxWorker-18] - AuthorizationAPI.authenticate( {SC_CLIENT_IP=192.168.206.128, SC_GET_TOKEN_CONTENTS=true, SC_CERT=true, SC_SECURID_STATUS=127, SC_USER_DN=C=US,S=MA,L=Boston,O=RSA,OU=Support,CN=user1,E=user1@supportlab7.com, SC_END_USER_IP=192.168.206.128, AUTHENTICATION_TYPE=SC_USER_CHECK, SC_TOKEN=AAAAAgABAEAWsyXK+xno19AfdVGmqPdlxuk1AtugciRuMFrFMt5uCk5cMEJ2AQwgDhUF0JfCMgbsgqthUMKH2RTBYXztaQCX}, {CLIENT_IP=192.168.206.128, GUID=1377621647798, BROWSER_IP=192.168.206.128, CLIENT_PORT=49404, CLIENT_VERSION=11, SC_GET_TOKEN_CONTENTS=true, USER_GROUPS_ENABLED=false, TOKENS_ENABLED=true, USER_PROPERTIES_ENABLED=false} ) returning {EXCEPTION_MESSAGE=Token decryption failed}

The aserver.log (or lserver.log) shows the following log message. 
sequence_number=11,2013-08-29 07:36:57:92 PDT,messageID=1031,client_ip_address=192.168.206.135,client_port=3872,result_code=0,result_action=User Token Failed,result_reason=Token error

This is not an error in itself, but the lack of a subsequent authentication event message such as this one indicates a failure to authenticate after the token error event. 

sequence_number=13,2013-08-29 07:36:57:248 PDT,messageID=2010,user=user1,user_dn=C=US,S=MA,L=Boston,O=RSA,OU=Support,CN=user1,E=user1@supportlab7.com,client_ip_address=192.168.206.135,client_port=3872,browser_ip_address=192.168.206.128,result_code=0,result_action=Authentication Success,result_reason=Valid User
CauseWhen a user presents with a token that is older than the key lifetime it generates a token decryption failure.  This indicates that the users session has timed out and they should be re-autenticated.  For CERTIFICATE based authentication this re-authentication should occur without intervention.  In the 4.9 and later agents the token is presented to the aserver for verification twice, once during the request phase when the and then when the user DN is being validated.  If a token decryption error occurs during the DN validation the agent incorrectly interprets this as an error and sends the user to the ct_access_denied_en.html  page defined for login_cert_invalid_user instead of just re-authenticating the user.
ResolutionThis issue has been resolved in hotifx 4.9.1.20 for the RSA Access Manger 4.9.1 Agent for Apache 2.2 on Linux.  Contact RSA Customer Support and request this hotfix or the latest hotfix for your version and platform. 
This issue has been resolved in hotfix 5.0.0.4 for the RSA Access Manger 5.0 Agent for IIS 7.x on Windows.  Contact RSA Customer Support and request this hotifx or the latest hotfix for your version and platform. 
This issue has been resolved in hotfix 4.9.1.21 for the RSA Access Manger 4.9.1 Agent for IIS 7.x on Windows.  Contact RSA Customer Support and request this hotfix or the latest hotfix for your version and platform.
Notesalso see RSA Access Manger CERTIFICATE authentication does not work after idle timeout. "AxM CERTIFICATE authentication fails to re-authenticate after token decryption failed" for a RSA Access Manager server issue that affects certificate authentication. 
Legacy Article IDa62376

Attachments

    Outcomes