000025656 - The cleartrust home page loops when attempting IWA authentication

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025656
Applies ToRSA ClearTrust Agent 4.6
Microsoft Integrated Windows Authentication (IWA)
IssueThe cleartrust home page loops when attempting IWA authentication
When attempting to authenticate using IWA (Integrated Windows Authentication) the user is directed to the ct_home.asp page on the IWA IIS server and then the page loops (looping logon) forever.
CauseThis error occurs if the ClearTrust authentication cookie cannot be accepted by the users browser. 
ResolutionEnsure that the users browser allows cookies to be accepted.
Ensure that the cleartrust.agent.cookie_domain name in the webagent.conf file for the IIS server agent hosting the ct_home.asp page is the same as that of the other web servers protected by ClearTrust agents.
Ensure that the time is the same on the browser and all the web servers participating in SSO.
Temporarily disable cookie ip checking on the agent to test for proxy problems.
Ensure that the cleartrust.agent.cookie_domain is in lower, not upper or mixed case (This is a problem on some types of web servers only.)
The IWA ct_home.asp needs to check for the presence of an orig url to redirect to before doing the META refresh. If there is no orig url (such as when accessing the ct_home.asp directly) the page will loop. The supplied ct_home.asp has this check but it may be lost due to modifications or using an old version of the page.
Legacy Article IDa32178

Attachments

    Outcomes