Users getting HTTP 500 [20-0004] at the login page.
What does this error mean.
This is normally found in the login server agent trace log file.
And it generally happens where the target agent protecting the resource and the login agent are separate.
When you request a protected resource (for example, http://www.server.com/protected/index.html) the target agent protecting this resource would redirect to the login server with sensitive information(such as the agentname) encrypted and added to the querystring (for example, http://login.server.com/siteminderagent/forms/login.fcc?AGENTNAME=abcdxyz1234encryptedstring&TARGET=http://www.server.com/protected/index.html).
The login server need to verify that the TARGET is protected by the AGENTNAME found in the querystring.
So it will try to decrypt the AGENTNAME value and send that AGENTNAME(abcdxyz1234encryptedstring) and the RESOURCE(/protected/index.html) to the Policy Server and make IsProtected call.
(*** Also note that the user can only be authenticated against a protected realm ***)
If the AGENTNAME value was successfully decrypted, then the login agent would have sent the clear-text AGENTNAME and the RESOURCE to the Policy Server.
The login agent does not check if it successfully decrypted the AGENTNAME because the target agent might have sent clear-text AGENTNAME (ACO parameter "EncryptAgentName=No") so the resulting AGENTNAME is sent to Policy Server.
But due to unusual condition where the TARGET agent and the LOGIN agent did not have the matching set of agent keys, the login server might have failed to decrypt the encrypted agentname.
This results in login agent sending the non-decrypted agentname and Policy Server will not be able to find the matching agentname to determine if the resource is protected.
So, for any reason if the login server is unable to determine if the requesting target is protected, then it will log an error which is [20-0004].
In general, you will find the encrypted agentname in the smtracedefault.log and policy server reporting that the agentname could not be found.
If you logged TransactionID in both smtracedefault.log and webagenttrace.log, you can track that TransactionID in the login server and determine what was the TARGET in the querystring to determine which of the agent (the TARGET or the LOGIN agent) could be causing this error.