000024265 - Protocol Transition fails with the error 'Failed to create a s4u token for user' in RSA Access Manager

Document created by RSA Customer Support Employee on Feb 23, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024265
Applies To
RSA Product Set: RSA ClearTrust Agent 4.6 for Microsoft Internet Information Services (IIS)

Protocol Transition
IssueProtocol Transition fails with the error "Failed to create a s4u token for user"
User not allowed Windows Domain SSO into a Windows Web Application. (SharePoint, Exchange, etc)
"Failed to create a s4u token for user" error in tokengen.log
"LsaLogonUser failed : 1,315" error in ctagent.log
 
CauseThe error message 1315 corresponds to the Microsoft error message "ERROR_INVALID_ACCOUNT_NAME". This indicates that the username could not be used for authentication.
 
ResolutionEnsure that the value stored in ldap for the windows UPN for this user is correct. Check the value of the ldap.conf file setting for cleartrust.data.ldap.user.attributemap.windowsupn and ensure it points to a valid string.
Notes

See the following page for a full list of s4u error codes:


http://msdn2.microsoft.com/en-us/library/ms681385.aspx


 

The ct_tokengen log shows the following error


Oct 03, 2007 03:06:26 PM PDT - [1972] - <Critical> - Failed to create a s4u token for user: supportlab7.com\user1


The ctagent.log shows the following error:



Oct 03, 2007 03:06:26 PM PDT - [3840] - <Critical> - LsaLogonUser failed : 1,315
Oct 03, 2007 03:06:26 PM PDT - [3840] - <Critical> - Failed to generate S4U token for user:supportlab7.com\user1
Oct 03, 2007 03:06:26 PM PDT - [3840] - <Warning> - Failed to generate a token for user. return an invalid token

Legacy Article IDa37162

Attachments

    Outcomes