000022432 - RSA ClearTrust users keep looping to logon page

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022432
Applies ToRSA ClearTrust Agent 4.6 for Lotus Domino 6.5.x
Microsoft Windows Server 2003
IssueRSA ClearTrust users keep looping to logon page
User gets re-prompted for authentication
ctagent.log (debug file) shows "Token client IP address do not match any excluded IP addresses"
CauseThe network has been reconfigured and the browser sessions are now coming through a proxy server. The RSA ClearTrust Agent has not been configured for this option and has recognized that the source IP address of the browser does not match the source IP address of the incoming packet.
ResolutionIf you intend that a proxy server be used in the configuration, then RSA ClearTrust Agent 4.6 for Domino 6.5.x must be configured correctly. There are a series of parameters for this, the first of the is as follows:


Setting this parameter to false immediately alters the behavior of the Agent so that it no longer only accepts cookies from the same IP address to which they were originally issued. By setting the parameter to false, it is possible that the security of the solution may be decreased, so the parameter and its the details should be reviewed thoroughly. A series of subsequent parameters allow for a more granular approach without a reduction in security, and should be investigated if it has been found that changing the above parameter works. In this way, the cleartrust.agent.cookie_ip_check parameter can be set back to its default, and the subsequent parameters can then be tailored to achieve the exact result desired.

The following parameters should be reviewed in the webagent.conf file in turn, so check which mix is most appropriate to your specific situation:

Legacy Article IDa28428