|Applies To||RSA ClearTrust Agent 3.5 for BEA WebLogic 7.0|
|Issue||Error: "PrincipalAuthenticator.authInternal - LoginException" in RSA ClearTrust Agent 3.5 for BEA WebLogic 7.0|
CTLoginServlet: Received token is not valid, login fails
Error: "HTTP 403 - Forbidden" in RSA ClearTrust
|Cause||The system is configured to allow SSO between a system running IIS (and the RSA ClearTrust Agent 4.5) and, sometimes, when the user authenticates at the IIS server and browses to the WebLogic server, an "Error 403" appears stating user does not have permission to access the page.|
The problem occurs when the system time on the Web servers is different. A designed mechanism called a "fudge factor" (see "cleartrust.agent.fudge_factor" in webagent.conf and cleartrust_realm.properties for more information) fails to act as expected on the WebLogic Agent, and incorrectly denies access to the selected page after examining the SSO cookie.
The various RSA ClearTrust errors may be seen if debug has been enabled for RSA ClearTrust Agent for BEA WebLogic (this can be set using the WebLogic agent configuration GUI).
|Resolution||This issue has been resolved in hot fix 3.5.1.05 for RSA ClearTrust Agent 3.5 for BEA WebLogic 7.0. Contact RSA Security Customer Support to obtain this hot fix, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels). Follow the instructions in the Readme file provided for proper installation.|
The fix contains 2 replacement .JAR files, and installation requires a stop and start of the WebLogic server.
|Workaround||BEA WebLogic SSPI SSO has been enabled|
|Legacy Article ID||a22368|