A couple of my clients recently had issues accessing the PDM from Windows XP and Server 2003. After authenticating successfully in both the browser and the Java window, they were presented with an empty window instead of the PDM - and a message in the status bar claiming
java.security.AccessControlException: access denied.
Both clients concluded - not unreasonably - that there was some kind of authentication problem with the PIX, and that they were locked out.
In fact, the problem was not with the PIX, but with Java itself. Sun's most recent updates to the JRE (Java Runtime Environment) made changes to the behavior allowed for signed code - and caused consternation for developers and end users by breaking quite a few applets.
Installing the "release 8" update for the 1.4.2 plugin, or the "release 2" update for the 1.5.0 plugin prevented access to the PDM - and no adjustment to the security settings in Internet Explorer or Firefox could fix the issue (both Windows and Linux platforms suffer from this problem.) Applets which behaved like the PDM - launching code which performs security-restricted functions from an HTML button - were now 'broken by design' under the new stricter security model.
Those who had upgraded their Java plugin from an earlier (working) release could uninstall the latest version, and once again access the PDM. But for a new workstation or server, the latest load of Java was broken 'out of the box,' and there wasn't anything to go back to. And unless the affected user tried a Google search on the full status bar error message, there were very few clues on the nature of the problem - or the fix.
There is, in fact, a Cisco Field Notice, dated May 16th, on this issue - but unless you perform a very specific Google search, you'll probably miss it.
I almost never use a vendor's own search tool to explore a support knowledge base. Microsoft's Knowledge Base, in particular, was long notorious for the obscurity of the keywords assigned to articles. More than once, I couldn't re-locate a KB (or Q article, if you're old skool) that I knew was there, which was immensely frustrating. I finally started using site-specific Google searches: specifying a search by site:microsoft.com server 2003 dns firewall allowed me to find information that eluded the built-in tool. Microsoft, by the way, claims to have made significant improvements to the way their site search engine works. Is it better? I don't know - they trained me not to use it by returning poor results for years. Google is my friend.
Cisco does offer a product alert service which will e-mail you notices like this one when they are published, but you have to have an account with Cisco CCO - which generally means, if you're an end user, that you're carrying a SMARTnet service contract on at least one piece of Cisco equipment.
Those who don't have a SMARTnet contract on their PIX not only probably missed the alert, but also cannot implement the official fix, which is a downloadable update - 3.0(3) or 4.1(2) - to the PDM. The workaround is to uninstall the latest copy of the JRE, and download and install release 1 of the Java 1.5.0 plugin.
And, perhaps, consider springing for a SMARTnet contract on at least one of your Cisco products. It doesn't take many of these kinds of headaches for it to pay for itself.