000020073 - ClearTrust 5.0 login screen images do not appear if entire IIS Web site is protected

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020073
Applies ToRSA ClearTrust 5.0
RSA ClearTrust Agent 3.0 for Microsoft IIS
Microsoft Windows NT 4.0
Microsoft Windows 2000
Microsoft Internet Information Server (IIS) 4.0
Microsoft Internet Information Server (IIS) 5.0
IssueClearTrust 5.0 login screen images do not appear if entire IIS Web site is protected
If the entire IIS Web site is protected by "/*", the login screen images does not appear. This is a known issue and is not considered a bug. Please refer to the Administrator's Guide in ClearTrust 5.0, where Chapter 4 (Managing Resources) has a subsection titled "Defining URLs as Resources" under the "Resources" section. This subsection contains an important note that mentions "Using '/*' to protect the entire Web server will block access to graphics and objects associated with login". A similar note is also mentioned in the ClearTrust 4.6.1 Administrator's Guide (Chapter 2 - The Entitlements Manager Background Concepts - Protected Resources - URIs).
ResolutionBelow is the proposed workaround for ClearTrust Agent 3.0 for IIS when the login screen images does not appear if the entire IIS Web server is protected with "/*":

1. Create a virtual host. From Microsoft Management Console, right click the machine hostname and select New -> Web Site. When the "New Web Site Wizard" appears, enter a name for the "Web Site Description". Accept the default (All Unassigned) for the IP address. Enter a new port number if port 80 is used. Enter the 'default path' of the new Web site.

2. Copy the 'images' directory from "c:\program files\RSA\Cleartrust\IIS Agent\htdocs" to the 'default path' of the new Web site

3. Create a test file (test.txt) in the "default path" of the new Web site

4. From Microsoft Management Console, right click the newly created Virtual Host or Web Site and select New -> Virtual Directory. When the New Virtual Directory Wizard appears, enter a name for the 'alias' and the physical path of the directory (ex. c:\<default path>\images).

5. Restart IIS Web server (stop IIS Admin Service and start World Wide Web Publishing) through the Services Control Panel

6. Test the newly created virtual host by accessing the test file (test.txt):
        http://<FQDN>:portnumber/test.txt

7. Make a back up of the C:\Program Files\RSA\ClearTrust\IIS Agent\htdocs\ct_logon.asp file

8. Edit the C:\Program Files\RSA\ClearTrust\IIS Agent\htdocs\ct_logon.asp file and search for "images". Replace all instances of "images" with the URL and alias of the newly created virtual host. An example is shown below:

        Original ct_logon.asp:
        <TD height="1"> <IMG src="images/spacer.gif" width=600 height=1></TD>
        </TR>
        <TR>
        <TD height="47"><IMG src="images/logo.gif" width="297" height="47"></TD>
        </TR>
        
        Modified ct_logon.asp:
        <TD height="1"> <IMG src="http://server1.tst.com:82/ct5/spacer.gif" width=600 height=1></TD>
        </TR>
        <TR>
        <TD height="47"><IMG src="http://server1.tst.com:82/ct5/logo.gif" width="297" height="47"></TD>
        </TR>

9. Back up the C:\Program Files\RSA\ClearTrust\IIS Agent\conf\webagent.conf file

10. Modify the C:\Program Files\RSA\ClearTrust\IIS Agent\conf\webagent.conf file and add the newly created virtual host in the 'VirtualHost' section. Create a virtual host section for the current Web Server with the following ClearTrust parameters:

        cleartrust.agent.enabled
        cleartrust.agent.web_server_name
        cleartrust.agent.key_client_name
        cleartrust.agent.key_client_secret

NOTE: The "web_server_name", "key_client_name", and "key_client_secret" are already defined. Copy the parameters and paste them in the Virtual Host section. Create another virtual host section for the new Web site with only the ClearTrust parameter "cleartrust.agent.enabled" set to "No".

An example is shown below:

        <VirtualHost address=10.10.10.100:80 name=server1.tst.com>
        cleartrust.agent.enabled=yes
        cleartrust.agent.web_server_name=IISwebs
        cleartrust.agent.key_client_name=IISwebs
        cleartrust.agent.key_client_secret=55W4xd1PfYTLlOzQNpN8MWf5B5hJ5ihNhT1HTZAst+1k
        </VirtualHost>
        
        <VirtualHost address=10.10.10.100:82 name=server1.tst.com>
        cleartrust.agent.enabled=no
        </VirtualHost>

11. Restart IIS Web server (stop IIS Admin Service and start World Wide Web Publishing) through the Services Control Panel
     
Legacy Article IDa14178

Attachments

    Outcomes