A new Web Agent instance has been installed and configured.
The agent appears to initialize properly, but when a user tries to log in to a protected page, the user is returned to the login page without any error or other message.
The Web Agent was blocking the login attempt because of a mismatch between the domain of the Target application and the domains listed in the ValidTargetDomain parameter.
This was reflected in the Web Agent trace log.
The Web Agent had not loaded the multi-value ValidTargetDomain parameter correctly.
The Web Agent error log showed one instance of the parameter with a comma-separated list of values, despite the parameter having been defined correctly using Multi-Value entry in the ACO on the Policy Server. To solve this, the ValidTargetDomain ACO parameter was disabled (by adding a # in front of the parameter name), the Web Agent restarted, successful authentication verified, then the ACO parameter was re-enabled and the Web Agent restarted once more. This resulted in the parameter being printed correctly in the Web Agent error log with a once instance of the parameter for each value printed on a separate line.
Users could now successfully authenticate.