RSA Access Manager CERTIFICATE authentication does not work with Protocol Transition
3 years ago
Originally Published: 2013-07-03
Article Number
000042384
Applies To
RSA Product Set: Enterprise Data Protection
RSA Product/Service Type: Access Manager Agent
RSA Version/Condition: 4.9.3 
Platform: IIS 7
Issue
RSA Access Manger CERTIFICATE authentication does not work with Protocol Transition.

The following error is seen in the browser: 
401.3 Unauthorized

The error message in the agent log at debug level shows: 
2013-07-03 12:17:06 -0500 - [736] - <Security> - Session has idled out.
2013-07-03 12:17:06 -0500 - [2996] - <Debug> - Response: 401

 
Cause
When the RSA Access Manager agent is configured for Protocol Transition and the authentication type is CERTIFICATE, the agent throws a 401 error when accessing protected content for the first time. If the page is refreshed the Agent displays the page, but a 401 is displayed again when the idle timeout occurs.  This is because the certificate authentication occurs in the wrong place in the authentication order.   
Resolution
Change the setting for cleartrust.agent.iis.preproc_auth_enabled=TRUE.  This changes the authentication event from the IIS OnPostAuthenticateRequest event to the BEGIN_REQUEST notification event.  

Related Articles

Trending Articles

Don't see what you're looking for?