000021425 - Problems with NT authentication against a Microsoft Windows Server 2003 Domain Controller in RSA ClearTrust 5.5.2 Authorization Server

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021425
Applies ToRSA ClearTrust 5.5.2 Authorization Server (AServer)
RSA ClearTrust Agent 4.5 for Microsoft IIS
Microsoft Windows Server 2003 Domain Controller (functional level raised to Windows 2003)
IssueProblems with NT authentication against a Microsoft Windows Server 2003 Domain Controller in RSA ClearTrust 5.5.2 Authorization Server
When using NT authentication, if a user enters invalid password, RSA ClearTrust Web Agent produces a CT_AUTH_UNKNOWN_ERROR for NT_AUTH_PDC_ERROR returned by ClearTrust Authorization Server. This results in the user being redirected to a page configured for "cleartrust.agent.login_server_error" instead of redirecting to "cleartrust.agent.login_error_pw_location_nt" for a bad password. The same problem occurs if the user account is locked out.
RSA ClearTrust Web Agent works fine if user's NT credentials are correct
RSA ClearTrust Authorization Server logs show the following:

sequence_number=1307,2004-08-20 12:38:41:892 EDT,messageID=4,user=someuserid,client_ip_address=10.10.10.9,client_port=2222,browser_ip_address=10.10.10.8,result_code=60,result_action=Authentication Failure,result_reason=NT PDC Error

RSA ClearTrust Authorization Server debug logs show the following:

15:11:29:273 [*] [MUXWORKER-4] - NT Authentication failed using generic called name: jcifs.smb.SmbException: Unverifiable signature.
15:11:29:429 [*] [MUXWORKER-4] - NT Authentication failed using domain name: jcifs.smb.SmbException: Unverifiable signature.


RSA ClearTrust Authorization Server stderr shows the following:

Aug 20 15:11:29.507 - exception reading from socket input: WINDOWS2003DC<20>/10.10.10.23 java.net.SocketException: socket closed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:129)
at jcifs.netbios.SessionServicePacket.readPacketType(SessionServicePacket.java:68)
at jcifs.netbios.SocketInputStream.read(SocketInputStream.java:73)
at jcifs.netbios.SocketInputStream.read(SocketInputStream.java:39)
at java.io.FilterInputStream.read(FilterInputStream.java:66)
at java.io.PushbackInputStream.read(PushbackInputStream.java:120)
at jcifs.smb.SmbTransport.run(SmbTransport.java:341)
at java.lang.Thread.run(Thread.java:534)


RSA ClearTrust Web Agent debug logs show the following:

Aug 23, 2004 2:15:14 PM EST - [540] - <Info> - Result map: RETURN_CODE\nNT_AUTH_PDC_ERROR
Aug 23, 2004 2:15:14 PM EST - [540] - <Debug> - Authentication return code: 100
Aug 23, 2004 2:15:14 PM EST - [540] - <Debug> - Status is: 100
Aug 23, 2004 2:15:14 PM EST - [540] - <Debug> - Previous user: (null), current user: someuserid
Aug 23, 2004 2:15:14 PM EST - [540] - <Debug> - Previous status is CT_SESSION_ACTIVE
Aug 23, 2004 2:15:14 PM EST - [540] - <Debug> - Attempt multiple authentication is false and status is not CT_SESSION_ACTIVE, breaking
Aug 23, 2004 2:15:14 PM EST - [540] - <Debug> - Status is not CT_CHECK_ACCESS_REQUIRED
Aug 23, 2004 2:15:14 PM EST - [540] - <Debug> - Resetting status to: 100
Aug 23, 2004 2:15:14 PM EST - [540] - <Debug> - Authenticated bit from table: 0
Aug 23, 2004 2:15:14 PM EST - [540] - <Debug> - URI: /ct_login.asp, User: someuserid
Aug 23, 2004 2:15:14 PM EST - [540] - <Debug> - Status is: 100
Aug 23, 2004 2:15:14 PM EST - [540] - <Critical> - Critical error: CT_AUTH_UNKNOWN_ERROR
Aug 23, 2004 2:15:14 PM EST - [540] - <Debug> - Status is: 10
Aug 23, 2004 2:15:14 PM EST - [540] - <Debug> - ... returning CT_INT_AUTH_HANDLER, CT_PREAUTH_HANDLER
Aug 23, 2004 2:15:14 PM EST - [540] - <Debug> - Status is: 10
Aug 23, 2004 2:15:14 PM EST - [540] - <Debug> - ... returning CT_INT_SESSION_HANDLER, CT_SESSION_HANDLER
Aug 23, 2004 2:15:14 PM EST - [540] - <Debug> - Status is: 10
Aug 23, 2004 2:15:14 PM EST - [540] - <Debug> - ... returning CT_INT_PATH_CHECK_HANDLER, CT_PATH_CHECK_HANDLER
Aug 23, 2004 2:15:14 PM EST - [540] - <Debug> - User: someuserid
Aug 23, 2004 2:15:14 PM EST - [540] - <Debug> - Full URI: /cleartrust/ct_access_denied_en.html
Aug 23, 2004 2:15:14 PM EST - [540] - <Debug> - ... returning: CT_AUTH_URL_ACCESS_ALLOWED, request handled: TRUE
Aug 23, 2004 2:15:14 PM EST - [540] - <Debug> - Handled request. HTTP Status: 0
Aug 23, 2004 2:15:14 PM EST - [540] - <Debug> - Redirecting to /cleartrust/ct_access_denied_en.html


The problem does not exhibit if RSA ClearTrust Authorization Server is configured to point to an NT domain controller, and not a Windows 2003 domain controller with functional level raised to 'Windows 2003'.
CauseRSA ClearTrust Authorization Server returned NT_AUTH_PDC_ERROR instead of BAD_PASSWORD, when bad password was provided for NT credentials, due to a relatively older jcifs library included with the RSA ClearTrust Server binaries.
Resolution
This issue is resolved in hot fix 5.5.2.39 for RSA ClearTrust Servers. This fix contains an update to RSA ClearTrust code and includes an updated jcifs library. Contact RSA Security Customer Support to request this hot fix, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels). Review the provided Readme file for installation instructions.
WorkaroundRSA ClearTrust Web Agent was configured to use NT authentication
RSA ClearTrust Authorization Server was configured (using  in aserver.conf) to point to a Windows 2003 Domain Controller with functional level raised to 'Windows 2003'
Legacy Article IDa22892

Attachments

    Outcomes