000023309 - Error 401: You are not authorized to perform this operation

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000023309
Applies ToDomino 6.5.x
Domino 6.5.2
6.5.2
ClearTrust Web Agent Domino 6.5.x V 4.6 Agent
Microsoft Windows 2003 Server
IssueError 401: You are not authorized to perform this operation
SSO fails
Cause

A Domino 6.5.2 system has been installed with the ClearTrust agent and SSO using mapped User Principal Names has been configured however after the initial ClearTrust authentication a subsequent HTTP pop-up authentication box still appears asking for Domino credentials.

The problem is caused by a known bug in the initial release Domino 6.5.2 system and was quickly fixed by IBM (for further information see the IBM Technote (FQA) ref 1177645 at http://www-1.ibm.com/support/docview.wss?uid=swg21177645 with the title "After upgrading to Domino 6.5.2, authentication via DSAPI filter returns wrong user name".

Resolution

The RSA ClearTrust Domino agent has been fully qualified against 6.5.1 and it is known that this version does not exhibit the issue.  It is also possible to upgrade to later versions of 6.5.x however these later versions will not have been qualified for use with the ClearTrust Domino 4.6 agent and support can only be supplied on a "best endeavours" basis where changes between the later version and 6.5.1 cause an interworking issue.

The IBM technote advises installation of either 6.5.3 or Domino 6.5.2 Fix Pack 1 (FP1) however it also gives an alternative approach to resolve the issue without any additional software.  This alternative approach is to reconfigure settings in the Domino server by changing the "Internet Authentication" field on the Security tab of the Server document to "More name variations with lower security",. for more specific detail on what this implies contact IBM Customer Support.  Remember when considering setting this field that an enhanced level of security has now been applied to the Domino server by using the ClearTrust Domino agent.

For full details for installation of the ClearTrust Domino agent and configuring user mapping see the following manuals:

RSA ClearTrust 5.5.3 Servers Installation and Configuration Guide

https://knowledge.rsasecurity.com/docs/rsa_cleartrust/553/install_config.pdf

 

RSA ClearTrust Agent 4.6 Installation and Configuration Guide

https://knowledge.rsasecurity.com/docs/rsa_cleartrust/agent/46/docs/WebServersInstallConfig.htm

Additional guidance on using the RSA ClearTrust Domino agent may be found here:

      How to set upUser Principal Name (UPN) mapping in RSA ClearTrustAgent 4.6 for Lotus Domino R5    How to set upUser Principal Name (UPN) mapping in RSA ClearTrustAgent 4.6 for Lotus Domino R5    
      a25608    How to view RSA ClearTrust headers in Lotus Domino R5 
      a21982    Error: "Notes Initialization Failed" in RSA ClearTrust Agent 4.6 for Lotus Domino R5
      a26664    Error: "Failed to load DSAPI module /opt/ctrust/agent-domino65-46/lib/libct_domino65_agent.a"
      a28428    RSA ClearTrust users keep looping to logon page 

 

Notes

Although the ClearTrust agent was originally qualified only on 6.5.1 Rooben Garakanian (then CE manager) accepted that versions such as 6.5.4 were valid versions to submit defects to engineering since engineering could only obtain copies of 6.5.4 to qualify patches on anyway and that copies of 6.5.1 were not currently available.

This does not change the fact that QA of the product has only been carried out on 6.5.1 and that subsequent versions could easily introduce unknown factors as seen by the 6.5.2 version.


Various versions of Domino software for Windows can be found internally (note that this software is covered by the IBM PartnerWorld Agreement PartnerWorld Software Usage controlled by RSA Partner engineering)

Domino Server 6.5.1 for Windows NT 2000 2003 English
ftp://www.csau.ap.rsa.net/software/3rd%20party/IBM/Lotus%20Domino%206.5.x/Domino%20Server%206.5.1%20for%20Windows%20NT%202000%202003%20English/c80fina.exe

Domino Server 6.5.2 Win2000 NT 03 English
ftp://www.csau.ap.rsa.net/software/3rd%20party/IBM/Lotus%20Domino%206.5.x/Domino%20Server%206.5.2%20Win2000%20NT%2003%20English/c56srna.exe

Domino Server 6.5.3 Win2000 NT 03 English
ftp://www.csau.ap.rsa.net/software/3rd%20party/IBM/Lotus%20Domino%206.5.x/Domino%20Server%206.5.3%20Win2000%20NT%2003%20English/c59cyna.exe

Domino Server 6.5.4 WIN2000 NT 03 English
ftp://www.csau.ap.rsa.net/software/3rd%20party/IBM/Lotus%20Domino%206.5.x/Domino%20Server%206.5.4%20WIN2000%20NT%2003%20English/c82bqna.exe

Domino Server Incremental Install 6.5.2 TO 6.5.2 FP1 Windows NT, Windows 2000, Windows Server 2003 English
ftp://www.csau.ap.rsa.net/software/3rd%20party/IBM/Lotus%20Domino%206.5.x/Domino%20Server%20Incremental%20Install%206.5.2%20TO%206.5.2%20FP1%20Windows%20NT,%20Windows%202000,%20Windows%20Server%202003%20English/c82ibna.exe

Domino Server Incremental Install 6.5.2 to 6.5.3 Windows NT 2K 2003 English
ftp://www.csau.ap.rsa.net/software/3rd%20party/IBM/Lotus%20Domino%206.5.x/Domino%20Server%20Incremental%20Install%206.5.2%20to%206.5.3%20Windows%20NT%202K%202003%20English/c59djna.exe

Domino Server Incremental Install 6.5.3 TO 6.5.4 Windows NT Windows 2000 Windows Server 2003 English
ftp://www.csau.ap.rsa.net/software/3rd%20party/IBM/Lotus%20Domino%206.5.x/Domino%20Server%20Incremental%20Install%206.5.3%20TO%206.5.4%20Windows%20NT%20Windows%202000%20Windows%20Server%202003%20English/c82h7na.exe

Legacy Article IDa33276

Attachments

    Outcomes