What does this log error mean? ::API::setInterrogationResult:: User is not authorized to access CT

03/26/2020 3 6686

DESCRIPTION:

In the AMC log, the admin user may see errors like this:
::API::setInterrogationResult:: User is not authorized to access CT

Screen shot of the error: 

This will coincide with a user not being able to log into the SMA with a tunnel client. This log error is the indication the user was denied access to the Connect Tunnel built in resource that controls user access with tunnel clients and the ability of a web user to download the Connect Tunnel client from Workplace.  

To examine this issue the following process can be followed at a minimum: 

1.  Is there an Access Control rule that the user should match that allows access to the Connect Tunnel resource?  If not add one. 

2.  Is the user logging into the correct realm and matching membership in the correct Community in the realm?    Does the user match the correct Active Directory groups?  

3.  Is tunnel access blocked by the End Point Control Zone the user matches?  

CAUSE:

Some reasons this issue might occur:

1. There may be no Access control rule allowing access to the Connect Tunnel resource. 

2. The user may not match a REALM, COMMUNITY, or GROUP necessary to match the Access Control rule. This can be related to group membership in the Authentication Server. It can be related to the sequence that Community membership is validated. The Community membership evaluation is done in order top to bottom or left to right depending on the display.  See two screen shots below.  

3. The End Point Control Zone the user matches may be configured to block Connect Tunnel access. 

Graphical Community display, evaluated left to right: 

Community listing, evaluated top to bottom: 

RESOLUTION:

Investigate the reason the user does not match an Access Control rule to the Connect Tunnel resource: 

1. When the user tries to login examine that user session in Monitor > User Sessions click on the user name to expand their session data.

Look for the failure to access Connect Tunnel , highlighted in this screen shot:  

2. Note the Realm, Community, and EPC zone the user matched, highlighted in this clip from the above screen shot:

3. Examine the Access Control rules that apply to the user, Realm, and Community to confirm there is a rule allowing access. 

4. Examine the EPC Zone for Connect Tunnel use prevented. The choice to disable tunnel access is highlighted in the screen shot below: 

The resolution of this issue is to ensure the user matches an Access Control rule for the Connect Tunnel built-in resource.