|Applies To||Apache 2.0.49|
RSA ClearTrust Agent 4.6 for Apache 2.0
Microsoft Windows 2000
|Issue||CT_REMOTE_USER HTTP header variable not set for failed RSA ClearTrust authentications where the correct userID is entered with an incorrect password value|
|Cause||According to the webagent.conf file parameter as below, the CT_REMOTE_USER variable is only set on failed authentication attempts where the failure is due to an expired password or the account being referenced is locked out. This parameter does not encompass the authentication failure due to an incorrectly entered password value.|
# Specifies whether to publish CT_REMOTE_USER from the user header list
# even if the user has not successfully authenticated.
# Allowed Values:
# True Headers are published only if the user has successfully
# authenticated with at least one of the supported authentication
# False HTTP headers for the user will be published if the user
# authentication is not successful because the password expired, the
# account is locked out, or the user logged out.
|Resolution||Within the aserver.log file, for such failed login attempts to ClearTrust protected resources, the authorization server logs the information below:|
sequence_number=38,2006-03-20 10:29:08:590 PST,messageID=1002,user=jwai,client_ip_address=x.x.x.x,client_port=2461,browser_ip_address=x.x.x.x,result_code=2,result_action=Authentication Failure,result_reason=Bad Password
These log entries do indicate the userID entered at the time of the failed authentication attempt and the corresponding reason the authentication failed.
|Legacy Article ID||a30109|