Users getting HTTP 500 [20-0004] at the login page. 

What does this error mean.

This is a generic error when the agent is unable to determine if the resource is protected or not and there can be multiple reasons why the agent can fail to determine if the resource is protected.

1. Agent Key issue

This is normally found in the login server agent trace log file.

And it generally happens where the target agent protecting the resource and the login agent are separate.

When you request a protected resource (for example, http://www.example.com/protected/index.html) the target agent protecting this resource would redirect to the login server with sensitive information(such as the agentname) encrypted and added to the querystring (for example, http://login.example.com/siteminderagent/forms/login.fcc?AGENTNAME=<encryptedstring>&TARGET=http://www.example.com/protected/index.html).

The login server need to verify that the TARGET is protected by the AGENTNAME found in the querystring.

So it will try to decrypt the AGENTNAME value and send that AGENTNAME(<encryptedstring>) and the RESOURCE(/protected/index.html) to the Policy Server and make IsProtected call.

(*** Also note that the user can only be authenticated against a protected realm ***)

If the AGENTNAME value was successfully decrypted, then the login agent would have sent the clear-text AGENTNAME and the RESOURCE to the Policy Server.

The login agent does not check if it successfully decrypted the AGENTNAME because the target agent might have sent clear-text AGENTNAME (ACO parameter "EncryptAgentName=No") so the resulting AGENTNAME is sent to Policy Server.

But due to unusual condition where the TARGET agent and the LOGIN agent did not have the matching set of agent keys, the login server might have failed to decrypt the encrypted agentname.

This results in login agent sending the non-decrypted agentname and Policy Server will not be able to find the matching agentname to determine if the resource is protected.

So, for any reason if the login server is unable to determine if the requesting target is protected, then it will log an error which is [20-0004].

In general, you will find the encrypted agentname in the smtracedefault.log and policy server reporting that the agentname could not be found.

If you logged TransactionID in both smtracedefault.log and webagenttrace.log, you can track that TransactionID in the login server and determine what was the TARGET in the querystring to determine which of the agent (the TARGET or the LOGIN agent) could be causing this error.

2. Missing Headers

It is possible when something goes wrong on the Web Server side or the frontending proxy where the required headers are missing in the request.

For example, if the HTTP_HOST header is missing then agent will not be able to process the request and throw error.

1. Agent Key issue

If you logged TransactionID in both smtracedefault.log and webagenttrace.log, you can track that TransactionID in the login server and determine what was the TARGET in the querystring to determine which of the agent (the TARGET or the LOGIN agent) could be causing this error.

1. If you have more than 1 set (4 agent keys) of keys then you will need to clean up the keystore to ensure there is only 1 set of keys.

2. Also you will need to review the AgentWaitTime value in the ACO and see if that is sufficient. In case if the agent initialization takes time (agent initialization is an expensive activity) there is a chance the agent need to finalize initialization before the agent keys are fetched.

Agent will still report it had received 4 keys but the value may be 'null' as it did not fetch the keys from keystore. Try doubling up the agentwaittime value(there is no harm in having higher value, it will not cause the agent initialization to take more time than needed).

Above 2 are the most common and known cause of 20-0004 error.

2. Missing Headers

A restart of web server may resolve the issue if this is caused by web server not passing header to its plugins(such as webagent)
Or check the proxy/loadbalancer if it is sending headers correctly.