000019979 - ACE/Agent stops authenticating after first successful attempt in cross realm situation

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000019979
Applies ToRSA ACE/Server 5.0.x (no longer supported as of 8-15-2004)
RSA ACE/Server 4.x (no longer supported as of 2-1-2004)
RSA ACE/Server 3.3.x (no longer supported as of 3-30-2002)
RSA ACE/Agent 5.x
IssueACE/Agent stops authenticating after first successful attempt in cross realm situation
CauseWhen a legacy ACE/Server (v3 or v4) attempts a cross realm authentication to an ACE/Server 5.0.x server, the response packet from the v5 server has a byte set incorrectly to switch to v5 communication. This is transmitted faithfully by the legacy ACE/Server to the ACE/Agent that switches to v5 communication. Subsequent authentication attempts via the legacy ACE/Server realm will fail, as the Agent is using the v5 protocol. This would happen for any successful cross realm authentication with 5.0 or 5.0.1, but it would only happen in version 5.0.2 if the successful authentication took place with the token in Next Tokencode mode.
ResolutionRSA Security has identified this as a problem in the ACE/Server v5 cross realm response. Cross realm responses should maintain protocol versions in order to be backwards compatible while allowing for a flexible upgrade policy. Please download and install ACE/Server patch 3 from RSA SecurCare Online. The fix is contained as part of the patch.

NOTE: Once the fix has been applied, you must remove the file 'sdstatus.12' on the ACE/Agent for changes to take effect. This file is created by the ACE/Agent software when the agent has upgraded itself to v5 communication. Removing sdstatus.12 makes the ACE/Agent re-read the sdconf.rec and settle on v2 communication.
WorkaroundUpgraded agent to ACE/Agent 5
Upgraded cross realmed ACE/Server to version 5.0.x
Legacy Article IDa13644