|Applies To||RSA ClearTrust Agent 4.6 for Microsoft IIS 6.0|
Microsoft SharePoint Server
|Issue||The user is authenticated to ClearTrust but not to the Microsoft Domain when using protocol transition.|
Applications that depend on Microsoft Windows Authentication such as SharePoint Portal Server may throw an exception indicating that a user is not authenticated, even though the user has a valid RSA ClearTrust session and is configured for Single Sign-On (SSO) using Protocol Transition or Password Replay
RSA ClearTrust allows users access, but does not generate a Windows Logon Session Token and users are unable to SSO to applications that require a Windows Authentication.
This situation may occur if the user is a valid RSA ClearTrust user, but there is a failure to retrieve the users Windows Token during Protocol Transition or Password Replay authentication. This can happen, for instance, if the "ClearTrust Token Tool" is not running.
ctagent.log file shows:
1124149137.453:[3672/6092]:<Debug>:[ct_process_client_request]:Decrypted request: email@example.com\0371264
1124149137.453:[3672/6092]:<Debug>:[ct_process_client_request]:User Name: firstname.lastname@example.org, targetPid : 1264
1124149137.453:[3672/6092]:<Debug>:[ct_process_client_request]:Convert target process: 4,708
1124149137.453:[3672/6092]:<Critical>:[ct_s4uLogon]:LsaLogonUser failed : 1,326
1124149137.453:[3672/6092]:<Critical>:[ct_process_client_request]:Failed to generate S4U token for user:email@example.com
1124149137.453:[3672/6092]:<Warning>:[ct_handle_pipe_request]:Failed to generate a token for user. return an invalid token
|Resolution||This issue has been resolved in a hot fix for RSA ClearTrust Agent 4.6 for Microsoft IIS 6.0. Contact RSA Security Customer Support to obtain hot fix 18.104.22.168, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels).|
This hot fix corrects the problem by directing the user to the page defined in the "cleartrust.agent.login_server_error" if the Microsoft Windows Token is not obtained. This prevents users from authenticating to ClearTrust if the Agent is unable to obtain a Windows Token for the user.
|Legacy Article ID||a27768|