Using Redirect with OWA breaks RSA SecureID authentication

the use of OWA redirect rule is very famous now, this has been outlined in several blog post, the best and the original was Brian’s post here http://briandesmond.com/blog/redirecting-owa-urls-in-exchange-2010/

however, careful must be taken when configuring the above rules specially when you are going to use RSA SecureID authentication, the above configuration will prevent the clients on the OWA from accessing the WebID virtual directory and the browser will stop at the path OWA/WebID/IISWebAgentIF.dll with a blank page.

to solve this issue, you will need to stop the redirect and use another method (maybe Java redirect script) because you will not be able to use RSA SecureID with the redirect.

other notes to be considered when configuring OWA with RSA SecureID:

• Make sure to follow the steps outlined in the WebAgent_IIS.pdf document.
• make sure to configure the RSA application pool with admin account (this is mentioned in the document but can be easily overlooked).
• make sure to have the securid file created (install the Windows Agent and do test authentication), the documentation instructs you to download the RSA SDK and use the agent_nsload.exe and convert the file to the web agent format, this is not correct, just copy the file form the authdata folder to the web agent installation directory.

you receive “Authentication Method Failed” on the RSA authentication monitor and “authentication failed” error message on the RSA security Center

Consider the following scenario, you installed the RSA Windows agent and added the agent, when you test the login you receive “Authentication Method Failed”.

you are using the correct Passcode or SecureID code, so what is the issue:

Solution:

The issue happens because you are using server that is multihomed, when you create the agent you specify the IP that will be used by that agent, the agent might use incorrect IP although in real-time reporting, you will see the agent IP presented correctly.

to overcome this issue, RSA has KB a37416 that specifies the solution, you can read it over RSA knowledge base if you don’t have access then:

– Configure IP override, from the advanced settings in the RSA security center, make sure to specific IP override that will use the same IP configured in the Agent settings on the security console.

simple, but yet tricky issue.

Configuring Citrix Web Interface with RSA SecureID , Notes from the field

Configuring your Web Interface to work with RSA SecureID can be troublesome, I spent 2 days trying to figure how to make it work, here are the configuration steps:

Follow the steps mentioned in this CTX article: http://support.citrix.com/article/CTX126843

BUT, as usual there is a trick, completing the above configuration will not work, you will get the following error:

There was a problem with the RSA SecurID ACE/Agent. Check that the ACE/Agent is installed correctly and that the path to the file aceclnt.dll has been added to the PATH environment variable.

To solve this problem, first, follow the following steps:

– make sure to install the RSA Web Agent, the Web Agent must be installed as it will add some keys in the applicationhost.config that are needed by the IIS.

– Configure the Web interface not to send the domain name, from Explicit authentication, properties, Explicit/Two-Factor Authentication and uncheck (Send Domain and username to ACE/Server)

some additional troubleshooting steps are here (Like the PATH and secret key reset)

http://support.citrix.com/article/CTX125097

Destination: Private cloud…are we there yet?–No we are not

In a recent post, the private cloud architecture team posted an interesting blog http://blogs.technet.com/b/privatecloud/archive/2013/02/26/destination-private-cloud-are-we-there-yet.aspx which talks about the characteristics of the private cloud.

being one of those who are working on the cloud, in the cloud and by the cloud, I think that we can answer, no we are not there yet.

the blog talks about the main characteristics that needs to be available for you to say; I have a private cloud, but I am speaking about the hall picture.

the hall picture comes with a lot of things, HW integration, network integration, Security integration and a lot more.

yes, most of the “Private Cloud” providers, provide their own solution to have an end-to-end solution, but it is still locked, for example Microsoft does HW fast track, but with limited set of vendors and HW providers.

adding security, Backup/DR and networking to the show, you will have a more complex scene, in my opinion; we don’t have the cloud-ready security/network solution yet, they will come, but we are not there yet.

my 2 cents for you if you are working on your own “cloud” project, take a deep look, and don’t think it is easy to use, consume or build a cloud, because we are not there yet.