000011941 - Access Manger CERTIFICATE authentication does not work with Protocol Transition.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011941
Applies ToRSA Access Manager 4.9.3 Agent for IIS 7.x
Protocol Transition
IssueAccess Manger CERTIFICATE authentication does not work with Protocol Transition.
Error message in browser:
401.3 Unauthorized

Error message in agent log at debug level
2013-07-03 12:17:06 -0500 - [736] - <Security> - Session has idled out
...
2013-07-03 12:17:06 -0500 - [2996] - <Debug> - Response: 401
CauseWhen the RSA Access Manager agent is configured for Protocol Transition and the authentication type is CERTIFICATE the agent throws a 401 error when accessing protected content for the first time. If the page is refreshed the Agent displays the page, but a 401 is displayed again when the idle timeout occurs.  This is because the certificate authentication occurs in the wrong place in the authentication order.   
Resolution
Change the setting cleartrust.agent.iis.preproc_auth_enabled=TRUE .
This changes the authentication event from the IIS OnPostAuthenticateRequest event to the BEGIN_REQUEST notification event.  
Legacy Article IDa61878

Attachments

    Outcomes