|Applies To||Domino 6.5.x|
ClearTrust Web Agent Domino 6.5.x V 4.6 Agent
Microsoft Windows 2003 Server
|Issue||Error 401: You are not authorized to perform this operation|
A Domino 6.5.2 system has been installed with the ClearTrust agent and SSO using mapped User Principal Names has been configured however after the initial ClearTrust authentication a subsequent HTTP pop-up authentication box still appears asking for Domino credentials.
The problem is caused by a known bug in the initial release Domino 6.5.2 system and was quickly fixed by IBM (for further information see the IBM Technote (FQA) ref 1177645 at http://www-1.ibm.com/support/docview.wss?uid=swg21177645 with the title "After upgrading to Domino 6.5.2, authentication via DSAPI filter returns wrong user name".
The RSA ClearTrust Domino agent has been fully qualified against 6.5.1 and it is known that this version does not exhibit the issue. It is also possible to upgrade to later versions of 6.5.x however these later versions will not have been qualified for use with the ClearTrust Domino 4.6 agent and support can only be supplied on a "best endeavours" basis where changes between the later version and 6.5.1 cause an interworking issue.
The IBM technote advises installation of either 6.5.3 or Domino 6.5.2 Fix Pack 1 (FP1) however it also gives an alternative approach to resolve the issue without any additional software. This alternative approach is to reconfigure settings in the Domino server by changing the "Internet Authentication" field on the Security tab of the Server document to "More name variations with lower security",. for more specific detail on what this implies contact IBM Customer Support. Remember when considering setting this field that an enhanced level of security has now been applied to the Domino server by using the ClearTrust Domino agent.
For full details for installation of the ClearTrust Domino agent and configuring user mapping see the following manuals:
RSA ClearTrust 5.5.3 Servers Installation and Configuration Guide
RSA ClearTrust Agent 4.6 Installation and Configuration Guide
Additional guidance on using the RSA ClearTrust Domino agent may be found here:
How to set upUser Principal Name (UPN) mapping in RSA ClearTrustAgent 4.6 for Lotus Domino R5 How to set upUser Principal Name (UPN) mapping in RSA ClearTrustAgent 4.6 for Lotus Domino R5
Although the ClearTrust agent was originally qualified only on 6.5.1 Rooben Garakanian (then CE manager) accepted that versions such as 6.5.4 were valid versions to submit defects to engineering since engineering could only obtain copies of 6.5.4 to qualify patches on anyway and that copies of 6.5.1 were not currently available.
This does not change the fact that QA of the product has only been carried out on 6.5.1 and that subsequent versions could easily introduce unknown factors as seen by the 6.5.2 version.
Various versions of Domino software for Windows can be found internally (note that this software is covered by the IBM PartnerWorld Agreement PartnerWorld Software Usage controlled by RSA Partner engineering)
Domino Server 6.5.1 for Windows NT 2000 2003 English
Domino Server 6.5.2 Win2000 NT 03 English
Domino Server 6.5.3 Win2000 NT 03 English
Domino Server 6.5.4 WIN2000 NT 03 English
Domino Server Incremental Install 6.5.2 TO 6.5.2 FP1 Windows NT, Windows 2000, Windows Server 2003 English
Domino Server Incremental Install 6.5.2 to 6.5.3 Windows NT 2K 2003 English
Domino Server Incremental Install 6.5.3 TO 6.5.4 Windows NT Windows 2000 Windows Server 2003 English
|Legacy Article ID||a33276|