Thursday, January 28, 2010

Configuring your ISA for RSA SecureID authentication to web applications

The first time I did this, I found a great blog post to help me:
Strengthening OWA Authentication with ISA 2006 and RSA SecurID by Aaron Parker

Here is the short version for the basic setup
On the RSA Server
-Create new 'Net OS Agent' type Agent Host entry
-Check Open to All Locally Known Users
-Node Secret Created should not be checked
-Obtain sdconf.rec file

On ISA Server
-Put sdconf.rec file in C:\windows\system32
-Use the sdtest.exe utility to test authentication, if this doesn't work, keep reading

On the properties of your listener
-Choose the Authentication tab and ensure that ‘HTML Form Authentication’ is selected as the authentication method
-Enable the tick-box labelled ‘Collect additional delegation credentials in the form’
-Then select the radio button labelled ‘RSA SecurID’
-Click OK and apply your configuration changes.

I've had it work just fine following these directions, and I've had it not work so well, here are some of the fixes I've used

Web form authentication doesn't work, but sdtest.exe utility does
On the ISA server
-Delete all the files in c:\program files\microsoft ISA server\sdconfig
-Copy the following files from c:\windows\system32 to c:\program files\microsoft ISA server\sdconfig
-sdstatus.12 (not sure you need this one, but while I'm copying, I grab it anyway)
-Restart the firewall service
-It should work

If neither the sdtest.exe utility or the web authentication form work
On the RSA Server
-Uncheck the Node Secret Created box on the Agent Host

On ISA Server
-Delete from c:\windows\system32
-Delete from c:\program files\microsoft ISA server\sdconfig
-Reboot ISA Server
-Copy new sdconf.rec file to c:\windows\system32
-Run the sdtest.exe utility and authenticate
-Copy the sdconf.rec file & securid file from c:\windows\system32 to c:\program files\microsoft ISA server\sdconfig
-Authenticate via web listener

1 comment:

Anonymous said...

thanks for the article.

It is frustrating that we cannot get ISA to "see" the new settings without a reboot?

Typically it stops working during business hours and to reboot the ISA affects all other critical services.

Must be a way to do this without rebooting all the time?