000022601 - Client code fails to authenticate to RSA ClearTrust protected web service

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022601
Applies ToRSA ClearTrust 5.x
Microsoft .NET Framework 1.1
Axis Web Service Client Libraries 1.3
Inter-Site Single Sign-On (ISSO)
IssueHow to access RSA ClearTrust protected web service with client code
.NET 1.1 SOAP clients fail to access the protected resource, returning a System.net.WebException
Axis 1.3 based clients fail to access the protected resource, eventually throwing a StackOverflowRuntimeError
Manually accessing the web service through a browser, the user is correctly challenged and authenticated, and is able to access the web service
CauseWhen a resource is not in the master domain of an Inter-Site Single Sign-On (ISSO) arrangement, the client accessing the web service is redirected through the master domain in order to provide to the client an RSA ClearTrust session cookie from the master domain. At the time of writing, two SOAP client libraries are known to have problems with this redirection: .NET 1.1 clients that return an opaque WebException, and Java-based clients written on the Axis 1.3 client library, which loops to the point of stack overflow on 302 code responses from the web server.
ResolutionDisable Inter-Site Single Sign-On (ISSO) in the governing host/virtual host in the RSA ClearTrust Agent's webagent.conf file. This is done by commenting out the following three parameters:

cleartrust.agent.isso.is_master
cleartrust.agent.isso.master_domain
cleartrust.agent.isso.slave_domain
WorkaroundProtecting a web service with RSA ClearTrust as a URL-based resource; the Agent is configured to protect web service with BASIC, non-forms-based authentication
Inter-Site Single Sign-On (ISSO) is enabled within the governing host/virtual host
Legacy Article IDa29418

Attachments

    Outcomes