What does this log error mean? ::API::setInterrogationResult:: User is not authorized to access CT

03/26/2020 3 People found this article helpful 190,231 Views

Download

Print

Share

• LinkedIn
• Twitter
• Facebook
• Email
• Copy URL The link has been copied to clipboard

Description

In the AMC log, the admin user may see errors like this:
::API::setInterrogationResult:: User is not authorized to access CT

Screen shot of the error: 

This will coincide with a user not being able to log into the SMA with a tunnel client. This log error is the indication the user was denied access to the Connect Tunnel built in resource that controls user access with tunnel clients and the ability of a web user to download the Connect Tunnel client from Workplace.  

To examine this issue the following process can be followed at a minimum: 

1.  Is there an Access Control rule that the user should match that allows access to the Connect Tunnel resource?  If not add one. 

2.  Is the user logging into the correct realm and matching membership in the correct Community in the realm?    Does the user match the correct Active Directory groups?  

3.  Is tunnel access blocked by the End Point Control Zone the user matches?  

Cause

Some reasons this issue might occur:

1. There may be no Access control rule allowing access to the Connect Tunnel resource. 

2. The user may not match a REALM, COMMUNITY, or GROUP necessary to match the Access Control rule. This can be related to group membership in the Authentication Server. It can be related to the sequence that Community membership is validated. The Community membership evaluation is done in order top to bottom or left to right depending on the display.  See two screen shots below.  

3. The End Point Control Zone the user matches may be configured to block Connect Tunnel access. 

Graphical Community display, evaluated left to right: 

Community listing, evaluated top to bottom: 

Resolution

Investigate the reason the user does not match an Access Control rule to the Connect Tunnel resource: 

1. When the user tries to login examine that user session in Monitor > User Sessions click on the user name to expand their session data.

Look for the failure to access Connect Tunnel , highlighted in this screen shot:  

2. Note the Realm, Community, and EPC zone the user matched, highlighted in this clip from the above screen shot:

3. Examine the Access Control rules that apply to the user, Realm, and Community to confirm there is a rule allowing access. 

4. Examine the EPC Zone for Connect Tunnel use prevented. The choice to disable tunnel access is highlighted in the screen shot below: 

The resolution of this issue is to ensure the user matches an Access Control rule for the Connect Tunnel built-in resource.  

Related Articles

• Appliance reboot changes the configuration.
• How to secure Virtual Office portal from all external access
• Lost Admin Password Recovery for SMA500v

Categories

• Secure Mobile Access > SMA 1000 Series
• Secure Mobile Access > SMA 1000 Series > Connect Tunnel Client
• Secure Mobile Access > SMA 1000 Series > Configuration
• Secure Mobile Access > Mobile Connect
• Secure Mobile Access > SMA 1000 Series > User Access