|Applies To||RSA Product Set: RSA Access Manger|
RSA Product/Service Type: RSA Access Manger 5.0 Agent for IIS 7.0/7.5/8.0/8.5
RSA Access Manger 4.9 Agent for IIS 7.0
RSA Access Manager Agent 4.8 for IIS 6.0
Access Manager Web Agent 4.7 for Apache
|Issue||HTTP error 403.0 - Forbidden when accessing IIS web server protected by Access Manager Agent|
The browser shows the following error message when attempting to access any content on the IIS web server:
HTTP Error 403.0 - Forbidden
You do not have permission to view this directory or page.
Error code 0x00000000
If you view the standard output using debugview or dbwin32 you will see an error similar to the following:
3300: 2012-01-13 09:03:01 -0800 -  - <Config> - Unable to complete initialization
This parameter must be enabled in order to achieve single sign-On within a domain.
3300: 2012-01-13 09:03:01 -0800 -  - <Config> - Invalid or missing value configured for the above property
No agent log file ctagent.log is created.
This error indicates the agent failed to start correctly and the web server has been placed in safe mode where no content is being served. This may occur when any fatal configuration error is encountered during the agent startup sequence. You must examine the agent standard output error messages to determine the cause of the failure. There is also the need for asp support to serve up the Access Manager agent pages.It is not enabled on a new IIS instalation.
|Resolution||On Microsoft Windows the Access Manager agent runs under the "World wide web publishing" service and the standard output messages are not displayed directly to the screen. In order to see the error messages you must use a third party tool. If you are using a 64 bit agent you must use a 64 bit tool to view the standard output. If you are using a 32 bit agent you may use either a 32 bit tool, or a 64 bit tool with 32 bit options set. |
The Access Manager agent is not started until a request is sent to IIS. You must request a web page before the agent will be instantiated.
This tool is shipped with the RSA Access Manger 32 bit 4.7 and 4.8 Agent for IIS 6.0 and the RSA Access Manger 4.7 Agent for Apache 2.0 on Windows. The tool is located in the "C:\Program Files\RSA\Access Manager Agent 4.8\IIS\util" directory. This tool can not be used over a remote console; if you attempt to use the tool over RDP the tool will start, but no output will be captured from the agent. If you are using RDP you should use another tool.
This tool is created by Microsoft and is freely available for download from the"Sysinternals " web site at the following URL:
This tool works over RDP and can be used to view standard output for both 32 bit and 64 bit applications. For 32 bit applications you must select "Capture win32" and "Capture Global win32" from the menu.
|Legacy Article ID||a57036|