Access Manager CERTIFICATE authentication fails to re-authenticate after token decryption failed message
Originally Published: 2013-08-30
Article Number
Applies To
RSA Access Manager 5.0 Agents
Issue
When the user makes a request for a protected page after a prolonged period of idle time they are redirected to the ct_access_denied_en.html page.
The Agent log shows the following error a <Critical> level (or lower)
2013-08-27 10:04:07 -0700 - [1560] - <Critical> - Critical error: CT_AUTH_UNKNOWN_ERROR
The agent log shows the following additional error at <Debug> log level.
2013-08-27 10:04:07 -0700 - [1560] - <Info> - Result map: EXCEPTION_MESSAGE\nToken decryption failed
or
2013-08-21 15:38:01 -0700 - [1560] - <Info> - Result map: EXCEPTION_MESSAGE\nException during cookie processing. Found the token in bad token cache.
The aserver.out file with DDEBUG enabled shows the following event:
09:40:47:756 [*] [MuxWorker-18] - AuthorizationAPI.authenticate( {SC_CLIENT_IP=192.168.206.128, SC_GET_TOKEN_CONTENTS=true, SC_CERT=true, SC_SECURID_STATUS=127, SC_USER_DN=C=US,S=MA,L=Boston,O=RSA,OU=Support,CN=user1,E=user1@supportlab7.com, SC_END_USER_IP=192.168.206.128, AUTHENTICATION_TYPE=SC_USER_CHECK, SC_TOKEN=AAAAAgABAEAWsyXK+xno19AfdVGmqPdlxuk1AtugciRuMFrFMt5uCk5cMEJ2AQwgDhUF0JfCMgbsgqthUMKH2RTBYXztaQCX}, {CLIENT_IP=192.168.206.128, GUID=1377621647798, BROWSER_IP=192.168.206.128, CLIENT_PORT=49404, CLIENT_VERSION=11, SC_GET_TOKEN_CONTENTS=true, USER_GROUPS_ENABLED=false, TOKENS_ENABLED=true, USER_PROPERTIES_ENABLED=false} ) returning {EXCEPTION_MESSAGE=Token decryption failed}
The aserver.log (or lserver.log) shows the following log message.
sequence_number=11,2013-08-29 07:36:57:92 PDT,messageID=1031,client_ip_address=192.168.206.135,client_port=3872,result_code=0,result_action=User Token Failed,result_reason=Token error
This is not an error in itself, but the lack of a subsequent authentication event message such as this one indicates a failure to authenticate after the token error event.
sequence_number=13,2013-08-29 07:36:57:248 PDT,messageID=2010,user=user1,user_dn=C=US,S=MA,L=Boston,O=RSA,OU=Support,CN=user1,E=user1@supportlab7.com,client_ip_address=192.168.206.135,client_port=3872,browser_ip_address=192.168.206.128,result_code=0,result_action=Authentication Success,result_reason=Valid User
Cause
Resolution
This issue has been resolved in hotfix 5.0.0.4 for the RSA Access Manger 5.0 Agent for IIS 7.x on Windows. Contact RSA Customer Support and request this hotifx or the latest hotfix for your version and platform.
This issue has been resolved in hotfix 4.9.1.21 for the RSA Access Manger 4.9.1 Agent for IIS 7.x on Windows. Contact RSA Customer Support and request this hotfix or the latest hotfix for your version and platform.
Notes
Related Articles
Unable to re-edit a RSA Identity Governance & Lifecycle condition containing IN for a rules definition Number of Views AM8.1-Web tier Bootstrap service will not start after re-install Number of Views Disaster recovery - Re-imaging a RC Number of Views How to re-use unassigned tokens via the 'Replace Tokens...' function on Authentication Manager 6.x Number of Views RSA Identity Governance & Lifecycle server attempts to apply the patch each time with the message "Patch will be (re-)appl… Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026) An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
