000011941 - RSA Access Manager CERTIFICATE authentication does not work with Protocol Transition

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Mar 17, 2018
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000011941
Applies ToRSA Product Set: Enterprise Data Protection
RSA Product/Service Type: Access Manager Agent
RSA Version/Condition: 4.9.3 
Platform: IIS 7
IssueRSA Access Manger CERTIFICATE authentication does not work with Protocol Transition.

The following error is seen in the browser:

401.3 Unauthorized

The error message in the agent log at debug level shows:

2013-07-03 12:17:06 -0500 - [736] - <Security> - Session has idled out.
2013-07-03 12:17:06 -0500 - [2996] - <Debug> - Response: 401


CauseWhen the RSA Access Manager agent is configured for Protocol Transition and the authentication type is CERTIFICATE, the agent throws a 401 error when accessing protected content for the first time. If the page is refreshed the Agent displays the page, but a 401 is displayed again when the idle timeout occurs.  This is because the certificate authentication occurs in the wrong place in the authentication order.   
Change the setting for cleartrust.agent.iis.preproc_auth_enabled=TRUE.  This changes the authentication event from the IIS OnPostAuthenticateRequest event to the BEGIN_REQUEST notification event.  
Legacy Article IDa61878