000021602 - RSA ACE/Agent 5.6 for Windows blue screens when using terminal server or domain trusts

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021602
Applies ToRSA ACE/Agent 5.6 for Windows
Microsoft Windows XP
Microsoft Windows 2000 SP4
Microsoft Windows Server 2003
Terminal Server
Citrix MetaFrame XP Presentation Server Feature Release 3 SP4
Domain Trusts
IssueRSA ACE/Agent 5.6 for Windows blue screens when using terminal server or domain trusts
Login through terminal services locks up or blue screens
Local login locks up or blue screens

Blue Screen error message:

STOP: c000021a {Fatal System Error}
The Windows Logon Process terminated unexpectedly
with a status of 0xc0000005 (0x00000000 0x00000000).

The system has been shut down.

If ACE/Agent debugging is enabled then for terminal services connection the last line in the debug log says:

File:sdsid.c Line:418 # Entering GetDCMachine()


An issue was discovered in the logic used to determine the domain membership of the client machine. The data returned was invalid, and caused the client to crash.

If the ACE/Agent is configured to check for group membership of a user the SAM database on a standalone server or from the local domain then the fault does not occur;  if the group selected for lookup is a group which is in a remote domain then the problem occurs.

ResolutionTo correct this issue, contact RSA Security Customer Support and request the hot fix for defect tst42204.
The blue screen of death problem was logic error - sometimes logic did not call NetGetAnyDCName() so pointer that would have been returned from NetGetAnyDCName() was null but the logic would try to use that pointer with out checking for null pointer.
Changes from v60 version were selectively used in this fix, from the following defects:
tst00041156 Cross Domain Authentication not working without Windows Trust use of NetGetAnyDCName() replaced with use of DsGetDcName()
tst00040761(Beta) Using "Users in" to determine who gets challenged does not work properly.  use VerifyVersionInfo to see if the local machine is a DC.
Legacy Article IDa23786