000021853 - Does RSA Security support coexistence of RSA ClearTrust Agent 4.6 and other ISAPI filters on the same IIS machine?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021853
Applies ToMicrosoft Internet Information Server (IIS) 5.0
Microsoft Internet Information Services (IIS) 6.0 on Microsoft Windows Server 2003
Microsoft Windows 2000 SP4
Microsoft Windows Server 2003
RSA ClearTrust Agent 4.6 for Microsoft IIS

Documentum eRoom 7.x
IssueDoes RSA Security support coexistence of RSA ClearTrust Agent 4.6 and other ISAPI filters on the same IIS machine?
CauseRSA ClearTrust Agent uses the REMOTE_USER HTTP header variable to retrieve the user?s user principal name (UPN) for integrated Windows authentication (IWA). Since other ISAPI filters may reset some server variables including REMOTE_USER, there is a potential single sign-on (SSO) issue where even after the user has authenticated according to the RSA ClearTrust Agent already and has a valid cookie, the user may be challenged again when accessing the protected eRoom resource.

eRoom uses an ISAPI filter that RSA ClearTrust Agent 4.6 coexists with when completing the integration instructions as detailed within the guide located at http://rsasecurity.agora.com/rsasecured/results.asp?product_program=110&page=1. The current integration of eRoom with the RSA ClearTrust Agent disables IWA. eRoom completes its authentication in the SF_NOTIFY_RREPROC_HEADER event. To configure the eRoom agent to stand down until the RSA ClearTrust Agent completes its authentication, set cleartrust.agent.iis.preproc_auth_enabled=True in webagent.conf. This means that the RSA ClearTrust Agent will do its authentication in the SF_NOTIFY_RREPROC_HEADER event.

In IWA, the RSA ClearTrust Agent has to let Windows complete the authentication first and use the Windows logon credentials for further RSA ClearTrust authentication. To meet this sequence of events, the RSA ClearTrust Agent handles authentication in the SF_NOTIFY_AUTH_COMPLETE event.
ResolutionThis issue has been resolved in hot fix for RSA ClearTrust Agent 4.6 for IIS 5.0. Contact RSA Security Customer Support to obtain hot fix, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels).

NOTE: An eRoom protected resource, R, is also protected by the ClearTrust Agent and requires IWA. To configure IWA for the ClearTrust Agent, set cleartrust.agent.iis.preproc_auth_enabled=False in the webagent.conf. Start the IIS Web Server and access the protected resource, R. The eRoom ISAPI filter will activate first regardless of the filter priority order. At this point, neither Windows nor the ClearTrust Agent has had a chance to start its authentication. Without Windows logon credentials or the ClearTrust authentication cookie, eRoom will fail the IWA authentication.
Legacy Article IDa25351