AnsweredAssumed Answered

Meaning of Passive Deny

Question asked by Randy Galbraith on Apr 8, 2020
Latest reply on Apr 14, 2020 by Randy Galbraith

Like • Show 0 Likes0
Comment • 3

Hi Everyone,

I would like to understand the cause of this authorization failure:

sequence_number=10,date=2020-04-08 xx:xx:xx:309 MST,messageID=1012,user=xxxxxxxx,webserver=xxxxxxxx,URI=/favicon.ico,client_ip_address=xx.xx.xx.x,client_port=xxxxx,browser_ip_address=xx.xx.xx.xx,result_code=11,result_action=Authorization Failure,result_reason=Passive Deny

I've tried setting up /favicon.ico as a resource I'm allowed to access but it did not seem to make a difference.

Kind regards. Please stay safe.

-Randy Galbraith

Ian Staines

Apr 13, 2020 6:24 PM

Correct Answer

Passive Deny just means access is denied. Specifically it means that access is denied because it is not specifically allowed.

See the following aserver.conf file setting.

cleartrust.aserver.authorization_mode=passive

See the reply in context

No one else had this question

Outcomes

Ian Staines

Apr 13, 2020 6:24 PM

Passive Deny just means access is denied. Specifically it means that access is denied because it is not specifically allowed.

See the following aserver.conf file setting.

cleartrust.aserver.authorization_mode=passive

Actions

Ian Staines

@ Ian Staines on Apr 14, 2020 11:47 AM

Oh, a warning, do not use /favicon.ico for testing. These default files have special behaviors. Always setup your own test resource.

Actions

Randy Galbraith @ Ian Staines on Apr 14, 2020 12:27 PM

Hi Ian,

Dropping by to say thank you for your answers to my recent questions. I will have more questions. However, I want to spend a day or two testing and doing log analysis so I can ask the best possible questions.

I had been using an internal resource (I'll call foobar) to test. However, I noticed a 302 (http found/url redirect) in reference to favicon.ico:

10.x.x.x - "" [14/Apr/2020:08:36:08 -0700] "GET /foobar HTTP/1.1" 302 230 ...
10.x.x.x - "" [14/Apr/2020:08:36:08 -0700] "GET /cleartrust/ct_logon_en.html HTTP/1.1" 200 2230 ...
. . .
10.x.x.x - "" [14/Apr/2020:08:36:08 -0700] "GET /favicon.ico HTTP/1.1" 302 230 ...

This happens despite entering a correct user name and password to satisfy ct_logon_en.html. So in response to this I dropped off a favorite icon file (/var/www/html/favicon.ico) and defined it in Access Manager as a URL resource (/favicon.ico). I am now backing away from that while doing rounds of start/stop servers and log analysis.

My understanding is getting better, alas, no breakthrough yet.

Kind regards & stay safe,

-Randy

Actions

3 Replies

Ian Staines Apr 13, 2020 6:24 PM
Unmark Correct
Correct Answer
Passive Deny just means access is denied. Specifically it means that access is denied because it is not specifically allowed.

See the following aserver.conf file setting.

cleartrust.aserver.authorization_mode=passive
Like • Show 1 Like1
Actions
- Ian Staines @ Ian Staines on Apr 14, 2020 11:47 AM
  Mark Correct
  Correct Answer
  Oh, a warning, do not use /favicon.ico for testing. These default files have special behaviors. Always setup your own test resource.
  Like • Show 1 Like1
  Actions
  - Randy Galbraith @ Ian Staines on Apr 14, 2020 12:27 PM
    Mark Correct
    Correct Answer
    Hi Ian,
    
    Dropping by to say thank you for your answers to my recent questions. I will have more questions. However, I want to spend a day or two testing and doing log analysis so I can ask the best possible questions.
    
    I had been using an internal resource (I'll call foobar) to test. However, I noticed a 302 (http found/url redirect) in reference to favicon.ico:
    
    10.x.x.x - "" [14/Apr/2020:08:36:08 -0700] "GET /foobar HTTP/1.1" 302 230 ...
    10.x.x.x - "" [14/Apr/2020:08:36:08 -0700] "GET /cleartrust/ct_logon_en.html HTTP/1.1" 200 2230 ...
    . . .
    10.x.x.x - "" [14/Apr/2020:08:36:08 -0700] "GET /favicon.ico HTTP/1.1" 302 230 ...
    
    This happens despite entering a correct user name and password to satisfy ct_logon_en.html. So in response to this I dropped off a favorite icon file (/var/www/html/favicon.ico) and defined it in Access Manager as a URL resource (/favicon.ico). I am now backing away from that while doing rounds of start/stop servers and log analysis.
    
    My understanding is getting better, alas, no breakthrough yet.
    
    Kind regards & stay safe,
    -Randy
    Like • Show 0 Likes0
    Actions

Meaning of Passive Deny

Outcomes

Related Content

Recommended Content