000021623 - RSA ClearTrust unable to authenticate users with special characters in CN (Microsoft Certificates)

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021623
Applies ToRSA ClearTrust Agent 3.5 for Apache
Microsoft Certificate Authority
IssueRSA ClearTrust unable to authenticate users with special characters in CN (Microsoft Certificates)
Error: "Authentication Failure, Result Reason = Unknown User" appears in CT_Auth logs
CauseThere is a known bug in RSA ClearTrust server code that does not escape the special characters properly as they are received from RSA ClearTrust Agent 3.5 for Apache
ResolutionThis issue is resolved in hot fix 5.5.2.49 for RSA ClearTrust Servers. Contact RSA Security Customer Support to request this hot fix, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels). Review the provided Readme file for installation instructions.

NOTE: Based on the explanation in the notes below, the ClearTrust administrator must copy and paste the long decoded string into the user's DN filed, within the Admin GUI, for proper matching of the incoming and stored CN.

NOTE: This fix does not "clean up" the CN format itself, as Apache parses it; it simply performs better escaping of the special characters to do a proper "is equal to" operation of the incoming CN against the one stored in the Entitlements database. Each Web server has its own way of decoding incoming cert CN strings, and ClearTrust is subject to this. However, the Web server decodes it and then passes it to us. There are differing interpretations of the RFC among the various Web server versions. In the case of Apache, the decoded CN (of a Microsoft certificate) ends up looking pretty undiscernible. For example, if an OU in the cert was defined as Cert_Team, the resulting string after Apache decodes it will look like this:

OU=\x00C\x00e\x00r\x00t\x00_\x00T\x00e\x00a\x00m

and it's this string that we have to work with when populating the user(s) DN in the Admin GUI.
Legacy Article IDa23964

Attachments

    Outcomes