000024728 - Error: 'HTTP 500 server error' appears for some RSA ClearTrust users when authenticating with ClearTrust-to-Citrix Single-Sign-On (SSO) integration

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024728
Applies ToRSA ClearTrust 5.0.1
RSA ClearTrust 5.0.1 Administrative C API
RSA ClearTrust Citrix NFuse Integration Module - COM
RSA ClearTrust Agent 4.5 for Microsoft Internet Information Services (IIS) 6.0

Microsoft Internet Information Server (IIS) 6.0
Citrix MetaFrame 1.8 SP4 for Microsoft Windows 2000
Citrix Web Interface 2.1 on Microsoft Internet Information Server (IIS) 6.0
IssueError: "HTTP 500 server error" appears for some RSA ClearTrust users when authenticating with ClearTrust-to-Citrix Single-Sign-On (SSO) integration
Some RSA ClearTrust users can log in successfully (e.g. "good users"), whereas other users always fail to log in (e.g. "bad users") and see error: "HTTP 500 server error" in web browser
When error: "HTTP 500 server error" appears, no RSA ClearTrust user can logon successfully (not even the good users) to Citrix until Microsoft Internet Information Services (IIS) is restarted or a login attempt is made after quite some time (like 30-40 min).
If friendly error messages are disabled in the user's web browser, the first error (mapped to HTTP 500 server error) for a user that can never successfully log in looks like the following:

    error 'fffffff3'
    /Citrix/MetaFrameXP/default/frameset.asp, Line 26
After a delay of about 10 minutes after the error "fffffff3" appears, all login attempts from "good users" or "bad users" causes the following error to appear:

    error 'ffffffeb'
    /Citrix/MetaFrameXP/default/frameset.asp, line 26
The errors shown above were produced from ClearTrust-Citrix integration based file frameset.asp, and the line 26 read as follows:

    Set cred = NfuseIntegration.GetUsersNFuseCredential(context,ctUser)

The difference between good and bad user objects (from SQL queries as used during invocation of RSA ClearTrust Citrix Integration Module) was in the account expiration dates. The good user objects had account expiry dates set to year 2014 or earlier, whereas the bad user objects had dates set to year 2050 (intentionally set by the ClearTrust administrator to expire account in as much far in the future as possible).

Cause
The issue occurred in the RSA ClearTrust Administrative C API library used by the ClearTrust-Citrix Integration Module when converting time from jlong (correctly returned from JNI interface) to C-based struct tm. Any dates in a user object set to beyond 19-Jan-2038, 03:14:07AM GMT (time_t representation is 2147483647, the maximum possible value\date in a 32-bit unsigned integer) could not be converted correctly by the API resulting in above errors. If a date in user object was set to lower than this date, the error reported above did not occur.
ResolutionThis issue was partially resolved by hot fix 5.0.1.120 for RSA ClearTrust, then a subsequently released hot fix corrects the issue completely. Contact RSA Security Customer Support to request hot fix 5.0.1.123 for ClearTrust Administrative C API, or request the latest fix level (which is cumulative, and includes fixes from all previous fix levels).
Workaround
RSA ClearTrust was integrated with Citrix to achieve Single-Sign-On (SSO) using ClearTrust-Citrix Web Interface Integration Module 5.0.1.66_CitrixWI.zip following the implementation guide at http://rsasecurity.agora.com/rsasecured/guides/cleartrust/Citrix_Web_Interface_CT5x.pdf.
Legacy Article IDa22297

Attachments

    Outcomes