|Applies To||RSA ClearTrust 5.5.2 Authorization Server (AServer)|
RSA ClearTrust Agent 4.5 for Microsoft IIS
Microsoft Windows Server 2003 Domain Controller (functional level raised to Windows 2003)
|Issue||Problems with NT authentication against a Microsoft Windows Server 2003 Domain Controller in RSA ClearTrust 5.5.2 Authorization Server|
When using NT authentication, if a user enters invalid password, RSA ClearTrust Web Agent produces a CT_AUTH_UNKNOWN_ERROR for NT_AUTH_PDC_ERROR returned by ClearTrust Authorization Server. This results in the user being redirected to a page configured for "cleartrust.agent.login_server_error" instead of redirecting to "cleartrust.agent.login_error_pw_location_nt" for a bad password. The same problem occurs if the user account is locked out.
RSA ClearTrust Web Agent works fine if user's NT credentials are correct
RSA ClearTrust Authorization Server logs show the following:
sequence_number=1307,2004-08-20 12:38:41:892 EDT,messageID=4,user=someuserid,client_ip_address=10.10.10.9,client_port=2222,browser_ip_address=10.10.10.8,result_code=60,result_action=Authentication Failure,result_reason=NT PDC Error
RSA ClearTrust Authorization Server debug logs show the following:
RSA ClearTrust Authorization Server stderr shows the following:
RSA ClearTrust Web Agent debug logs show the following:
The problem does not exhibit if RSA ClearTrust Authorization Server is configured to point to an NT domain controller, and not a Windows 2003 domain controller with functional level raised to 'Windows 2003'.
|Cause||RSA ClearTrust Authorization Server returned NT_AUTH_PDC_ERROR instead of BAD_PASSWORD, when bad password was provided for NT credentials, due to a relatively older jcifs library included with the RSA ClearTrust Server binaries.|
This issue is resolved in hot fix 188.8.131.52 for RSA ClearTrust Servers. This fix contains an update to RSA ClearTrust code and includes an updated jcifs library. Contact RSA Security Customer Support to request this hot fix, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels). Review the provided Readme file for installation instructions.
|Workaround||RSA ClearTrust Web Agent was configured to use NT authentication|
RSA ClearTrust Authorization Server was configured (using in aserver.conf) to point to a Windows 2003 Domain Controller with functional level raised to 'Windows 2003'
|Legacy Article ID||a22892|