000018732 - Error: 'PrincipalAuthenticator.authInternal - LoginException' in RSA ClearTrust Agent 3.5 for BEA WebLogic 7.0

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018732
Applies ToRSA ClearTrust Agent 3.5 for BEA WebLogic 7.0
IssueError: "PrincipalAuthenticator.authInternal - LoginException" in RSA ClearTrust Agent 3.5 for BEA WebLogic 7.0
CTLoginServlet: Received token is not valid, login fails
Error: "HTTP 403 - Forbidden" in RSA ClearTrust
CauseThe system is configured to allow SSO between a system running IIS (and the RSA ClearTrust Agent 4.5) and, sometimes, when the user authenticates at the IIS server and browses to the WebLogic server, an "Error 403" appears stating user does not have permission to access the page.

The problem occurs when the system time on the Web servers is different. A designed mechanism called a "fudge factor" (see "cleartrust.agent.fudge_factor" in webagent.conf and cleartrust_realm.properties for more information) fails to act as expected on the WebLogic Agent, and incorrectly denies access to the selected page after examining the SSO cookie.

The various RSA ClearTrust errors may be seen if debug has been enabled for RSA ClearTrust Agent for BEA WebLogic (this can be set using the WebLogic agent configuration GUI).
ResolutionThis issue has been resolved in hot fix for RSA ClearTrust Agent 3.5 for BEA WebLogic 7.0. Contact RSA Security Customer Support to obtain this hot fix, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels). Follow the instructions in the Readme file provided for proper installation.

The fix contains 2 replacement .JAR files, and installation requires a stop and start of the WebLogic server.
WorkaroundBEA WebLogic SSPI SSO has been enabled
Legacy Article IDa22368