000014737 - Access Manager Agent HTTP error 403.0 - Forbidden when accessing IIS web server

Document created by RSA Customer Support Employee on Aug 16, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000014737
Applies ToRSA Product Set: RSA Access Manger
RSA Product/Service Type: RSA Access Manger 5.0 Agent for IIS 7.0/7.5/8.0/8.5
RSA Access Manger 4.9 Agent for IIS 7.0
RSA Access Manager Agent 4.8 for IIS 6.0
Access Manager Web Agent 4.7 for Apache
IssueHTTP error 403.0 - Forbidden when accessing IIS web server protected by Access Manager Agent
The browser shows the following error message when attempting to access any content on the IIS web server:
HTTP Error 403.0 - Forbidden

You do not have permission to view this directory or page.

Error code 0x00000000

If you view the standard output using debugview or dbwin32 you will see an error similar to the following:
3300: 2012-01-13 09:03:01 -0800 - [2836] - <Config> - Unable to complete initialization
3300: 2012-01-13 09:03:01 -0800 - [2836] - <Config> - Detected invalid or missing configuration parameter(s):
3300: 2012-01-13 09:03:01 -0800 - [2836] - <Config> - 
3300: 2012-01-13 09:03:01 -0800 - [2836] - <Config> - Property:
3300: 2012-01-13 09:03:01 -0800 - [2836] - <Config> - cleartrust.agent.sso=
3300: 2012-01-13 09:03:01 -0800 - [2836] - <Config> - Description:
3300: 2012-01-13 09:03:01 -0800 - [2836] - <Config> - Specifies whether single sign-on (cookie) functionality is enabled between this web server and other RSA ClearTrust-protected servers.

Allowed Values:




  This parameter must be enabled in order to achieve single sign-On within a domain.

3300: 2012-01-13 09:03:01 -0800 - [2836] - <Config> - Invalid or missing value configured for the above property
3300: 2012-01-13 09:03:01 -0800 - [2836] - <Config> - Valid values are 'True' and 'False'.
3300: 2012-01-13 09:03:01 -0800 - [2836] - <Config> - Trusted domain list is empty.
3300: 2012-01-13 09:03:01 -0800 - [2836] - <Config> - Please fix the above problem(s) and restart the web server
3300: Configuration Error
3300: Configuration error, deny user access

No agent log file ctagent.log is created.

This error indicates the agent failed to start correctly and the web server has been placed in safe mode where no content is being served. This may occur when any fatal configuration error is encountered during the agent startup sequence. You must examine the agent standard output error messages to determine the cause of the failure. There is also the need for asp support to serve up the Access Manager agent pages.It is not enabled on a new IIS instalation.

ResolutionOn Microsoft Windows the Access Manager agent runs under the "World wide web publishing" service and the standard output messages are not displayed directly to the screen.  In order to see the error messages you must use a third party tool.  If you are using a 64 bit agent you must use a 64 bit tool to view the standard output.  If you are using a 32 bit agent you may use either a 32 bit tool, or a 64 bit tool with 32 bit options set.   

The Access Manager agent is not started until a request is sent to IIS.  You must request a web page before the agent will be instantiated.


This tool is shipped with the RSA Access Manger 32 bit 4.7 and 4.8 Agent for IIS 6.0 and the RSA Access Manger 4.7 Agent for Apache 2.0 on Windows.   The tool is located in the "C:\Program Files\RSA\Access Manager Agent 4.8\IIS\util" directory.  This tool can not be used over a remote console;  if you attempt to use the tool over RDP the tool will start, but no output will be captured from the agent. If you are using RDP you should use another tool. 


This tool is created by Microsoft and is freely available for download from the"Sysinternals " web site at the following URL:

This tool works over RDP and can be used to view standard output for both 32 bit and 64 bit applications.  For 32 bit applications you must select "Capture win32" and "Capture Global win32" from the menu.

Legacy Article IDa57036