|Applies To||RSA ClearTrust Agent 3.5 for Apache|
Microsoft Certificate Authority
|Issue||RSA ClearTrust unable to authenticate users with special characters in CN (Microsoft Certificates)|
Error: "Authentication Failure, Result Reason = Unknown User" appears in CT_Auth logs
|Cause||There is a known bug in RSA ClearTrust server code that does not escape the special characters properly as they are received from RSA ClearTrust Agent 3.5 for Apache|
|Resolution||This issue is resolved in hot fix 22.214.171.124 for RSA ClearTrust Servers. Contact RSA Security Customer Support to request this hot fix, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels). Review the provided Readme file for installation instructions.|
NOTE: Based on the explanation in the notes below, the ClearTrust administrator must copy and paste the long decoded string into the user's DN filed, within the Admin GUI, for proper matching of the incoming and stored CN.
NOTE: This fix does not "clean up" the CN format itself, as Apache parses it; it simply performs better escaping of the special characters to do a proper "is equal to" operation of the incoming CN against the one stored in the Entitlements database. Each Web server has its own way of decoding incoming cert CN strings, and ClearTrust is subject to this. However, the Web server decodes it and then passes it to us. There are differing interpretations of the RFC among the various Web server versions. In the case of Apache, the decoded CN (of a Microsoft certificate) ends up looking pretty undiscernible. For example, if an OU in the cert was defined as Cert_Team, the resulting string after Apache decodes it will look like this:
and it's this string that we have to work with when populating the user(s) DN in the Admin GUI.
|Legacy Article ID||a23964|