Intermittent failure of AA to post challenge questions.
3 years ago
Originally Published: 2013-03-18
Article Number
000045301
Applies To
RSA Access Manager 4.9 Agent for IIS 7.0
RSA Access Manager 6.1.3 (SP3)
Issue
Intermittent failure of AA to post challenge questions.
The ct_challenge.jsp page is intercepting the HTTP_AAQUESTIONCOUNT server variable but it has no value. This causes the challenge page to redirect the user to the logon page. 
Agent log file in debug mode shows an invalid challenge credential instead of a result "Challenge credential: QUESTION"

2013-03-09 09:10:56 -0600 - [2392740192] - <Debug> - Invalid challenge credential.

Agent displays the ct_logon.jsp page instead of the ct_challenge.jsp page
The http header is missing the request variable

The aserver debug output reports a value for SC_AA_RISK_SCORE=QUESTION, when risk score should be a string representation of an integer.
207 aserverb: 2013/03/09 09:10:56:863 [*] [MuxWorker-11 (sirrus.authserver.TCPServerAPIAdaptor.getTokenValues)] - TCPServerAPIAdaptor.getTokenValues( AAAAAgABAKDlYtCCmUU0l25rWo3OnJDQM6dZAzJ819Rnz9O2kCapBAH3Am69xRA7ZKtb8wIM4iTo5Wcw+1fkz2d4OOoc/QcgX74TO+t1zzRngaOHU0g9OJCNGyUtwWqN3g4F+4QLalJRN4JFRUSayItX7SkbNL5LVUqYQKNebCNoRdHuotCKtJILz5sBJvql2CL8Xzz8yOF4lLrsOiJvUFo7T/QwL5fe, {CLIENT_IP=172.16.100.57, CLIENT_PORT=58856, CLIENT_VERSION=11, tokens=true, groups=false, props=false} ) returning {SC_CUSTOM_DATA= , SC_IS_VALID=true, SC_AA_REQD_CREDENTIAL=, SC_USER_ID=user, SC_NT_PASSWORD=, SC_AA_PHONE_TOKEN=, SC_CLIENT_IP=192.168.0.1, SC_SECURID_PROVIDED_PIN=, SC_NT_DOMAIN=, SC_CREATION_TIME=1362841855000, SC_SECURID_STATUS=0, SC_END_USER_IP=172.16.100.1, SC_AA_SESSION_ID=-4b724558:13d4fafcb3a:-7ff1, SC_AA_STATE=AA_CHALLENGE, SC_TOUCH_TIME=1362841855000, SC_IMPERSONATED_ID=, SC_AUTH_STATE=, SC_BASIC=true, SC_AA_BIND_DEVICE=false, SC_AA_RISK_SCORE=QUESTION, SC_AA_TRANSACTION_ID=TRX_-4b724558:13d4fafcb3a:-7ff0}

Cause
This problem occurs intermittently and occurs more frequently with multiple aservers.  The RSA Access Manger servers themselves are stateless and to allow for load balancing across multiple servers state information about the user is maintained in a token that is encrypted in the CTSESSION cookie.   The token contains various AA status variables that are used to determine if the user needs to be challenged and how.   There are two independent program flows that handle retrieving token information depending on if the token is in cache already or not.  If the token is already in cache then the AA state information is taken from a copy of the token from cache and there is no issue.  In instances where the token is not in cache the token must be decrypted and the information in the token must be parsed.  An error in the way the AA variables are stored in the token prevents the question count from being retrieved correctly if the token is not in cache.
Resolution
This issue has been resolved in hotfix 6.1.3.31 for RSA Access Manager 6.1.3 (SP3) or in RSA Access Manager 6.1.4 (SP4).  Contact RSA Customer Support and request this hotfix or the latest cumulative hotfix for your platform.   This issue is not present in RSA Access Manager 6.1.4 (SP4).  
Also see a61890   "RSA Access Manger CERTIFICATE authentication does not work after idle timeout."
Workaround
Upgraded to SP3

Related Articles

Trending Articles

Don't see what you're looking for?