The first time I did this, I found a great blog post to help me:
Strengthening OWA Authentication with ISA 2006 and RSA SecurID by Aaron Parker
Here is the short version for the basic setup
On the RSA Server
-Create new 'Net OS Agent' type Agent Host entry
-Check Open to All Locally Known Users
-Node Secret Created should not be checked
-Obtain sdconf.rec file
On ISA Server
-Put sdconf.rec file in C:\windows\system32
-Use the sdtest.exe utility to test authentication, if this doesn't work, keep reading
On the properties of your listener
-Choose the Authentication tab and ensure that ‘HTML Form Authentication’ is selected as the authentication method
-Enable the tick-box labelled ‘Collect additional delegation credentials in the form’
-Then select the radio button labelled ‘RSA SecurID’
-Click OK and apply your configuration changes.
I've had it work just fine following these directions, and I've had it not work so well, here are some of the fixes I've used
Web form authentication doesn't work, but sdtest.exe utility does
On the ISA server
-Delete all the files in c:\program files\microsoft ISA server\sdconfig
-Copy the following files from c:\windows\system32 to c:\program files\microsoft ISA server\sdconfig
-sdconf.rec
-securid
-sdstatus.12 (not sure you need this one, but while I'm copying, I grab it anyway)
-Restart the firewall service
-It should work
If neither the sdtest.exe utility or the web authentication form work
On the RSA Server
-Uncheck the Node Secret Created box on the Agent Host
On ISA Server
-Delete from c:\windows\system32
-sdconf.rec
-sdstatus.12
-securid
-Delete from c:\program files\microsoft ISA server\sdconfig
-sdconf.rec
-sdstatus.12
-securid
-Reboot ISA Server
-Copy new sdconf.rec file to c:\windows\system32
-Run the sdtest.exe utility and authenticate
-Copy the sdconf.rec file & securid file from c:\windows\system32 to c:\program files\microsoft ISA server\sdconfig
-Authenticate via web listener
Thursday, January 28, 2010
Configuring your ISA for RSA SecureID authentication to web applications
Blogging?
I haven't blogged in a while, not on here, or my internal work site. I wrote something up for work tonight, I'll need to change a few things to protect the innocent and I'll post it here too.
Subscribe to:
Posts (Atom)