000022280 - The user is authenticated to ClearTrust but not to the Microsoft Domain when using protocol transition.

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022280
Applies ToRSA ClearTrust Agent 4.6 for Microsoft IIS 6.0
Protocol Transition
Password Replay
Microsoft SharePoint Server
IssueThe user is authenticated to ClearTrust but not to the Microsoft Domain when using protocol transition.
Applications that depend on Microsoft Windows Authentication such as SharePoint Portal Server may throw an exception indicating that a user is not authenticated, even though the user has a valid RSA ClearTrust session and is configured for Single Sign-On (SSO) using Protocol Transition or Password Replay
RSA ClearTrust allows users access, but does not generate a Windows Logon Session Token and users are unable to SSO to applications that require a Windows Authentication.
This situation may occur if the user is a valid RSA ClearTrust user, but there is a failure to retrieve the users Windows Token during Protocol Transition or Password Replay authentication. This can happen, for instance, if the "ClearTrust Token Tool" is not running.
ctagent.log file shows:

1124149137.453:[3672/6092]:<Debug>:[ct_get_cipher]:UsingDES-EDE cipher
1124149137.453:[3672/6092]:<Debug>:[ct_process_client_request]:Decrypted request: tuser@nick.na.rsa.net\0371264
1124149137.453:[3672/6092]:<Debug>:[ct_process_client_request]:User Name: tuser@nick.na.rsa.net, targetPid : 1264
1124149137.453:[3672/6092]:<Debug>:[ct_process_client_request]:Convert target process: 4,708
1124149137.453:[3672/6092]:<Critical>:[ct_s4uLogon]:LsaLogonUser failed : 1,326
1124149137.453:[3672/6092]:<Critical>:[ct_process_client_request]:Failed to generate S4U token for user:tuser@nick.na.rsa.net
1124149137.453:[3672/6092]:<Warning>:[ct_handle_pipe_request]:Failed to generate a token for user. return an invalid token
ResolutionThis issue has been resolved in a hot fix for RSA ClearTrust Agent 4.6 for Microsoft IIS 6.0. Contact RSA Security Customer Support to obtain hot fix, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels).

This hot fix corrects the problem by directing the user to the page defined in the "cleartrust.agent.login_server_error" if the Microsoft Windows Token is not obtained. This prevents users from authenticating to ClearTrust if the Agent is unable to obtain a Windows Token for the user.
Legacy Article IDa27768