Using Redirect with OWA breaks RSA SecureID authentication

the use of OWA redirect rule is very famous now, this has been outlined in several blog post, the best and the original was Brian’s post here http://briandesmond.com/blog/redirecting-owa-urls-in-exchange-2010/

however, careful must be taken when configuring the above rules specially when you are going to use RSA SecureID authentication, the above configuration will prevent the clients on the OWA from accessing the WebID virtual directory and the browser will stop at the path OWA/WebID/IISWebAgentIF.dll with a blank page.

to solve this issue, you will need to stop the redirect and use another method (maybe Java redirect script) because you will not be able to use RSA SecureID with the redirect.

other notes to be considered when configuring OWA with RSA SecureID:

• Make sure to follow the steps outlined in the WebAgent_IIS.pdf document.
• make sure to configure the RSA application pool with admin account (this is mentioned in the document but can be easily overlooked).
• make sure to have the securid file created (install the Windows Agent and do test authentication), the documentation instructs you to download the RSA SDK and use the agent_nsload.exe and convert the file to the web agent format, this is not correct, just copy the file form the authdata folder to the web agent installation directory.

you receive “Authentication Method Failed” on the RSA authentication monitor and “authentication failed” error message on the RSA security Center

Consider the following scenario, you installed the RSA Windows agent and added the agent, when you test the login you receive “Authentication Method Failed”.

you are using the correct Passcode or SecureID code, so what is the issue:

Solution:

The issue happens because you are using server that is multihomed, when you create the agent you specify the IP that will be used by that agent, the agent might use incorrect IP although in real-time reporting, you will see the agent IP presented correctly.

to overcome this issue, RSA has KB a37416 that specifies the solution, you can read it over RSA knowledge base if you don’t have access then:

– Configure IP override, from the advanced settings in the RSA security center, make sure to specific IP override that will use the same IP configured in the Agent settings on the security console.

simple, but yet tricky issue.

Configure RSA SecureID 130 Appliance with network routing and static routes

the RSA SecureID appliance comes with 2 NICs, you can configure 1 as primary and the other as secondary, both NICs can be used for authentication, radius and all the normal traffic.

however, you can configure a default gateway on only 1 NIC, this is very limiting, specially if you have VLANs and multiple subnets that you want to specify its routing and they are not behind the default GW.

the RSA appliance is running a normal Linux distribution, so to add some routing here are the steps:

From SSH or local login on the RSA appliance:

Sudo –s

Note: SU – will not work

<enter the root password>

/sbin/ip route add 192.168.205.0/24 via 192.168.204.142 dev eth0

In this case the destination is 192.68.205.0 and 192.168.204.142 is my router which has 2 interfaces (192.168.204.142 and 192.168.205.142).

I think you can configure RIP as well, but that will be epic .

How to configure RSA SecureId 130 Appliance to integrate with Active Directory

In this lab we will configure the RSA SecureID 130 appliance to integrate with AD and allow users to login using their tokens to AD, here are the steps to setup the appliance:

Setting up the Device:

the RSA appliance can be setup either as primary or secondary, the primary mode if either standalone or used in conjunction with the secondary one to provide HA, in our setup we will setup the primary device.

setting up the device is fairly simple, connect the device to the network, it comes pre-set with the IP 192.168.100.100, you will connect to that IP and set it up:

the wizard walks you through the initial setup wizard, where you import license file that came with the appliance, set the date and time, set the OS password, set the superadmin password, configure networking, after that it will take around 10 minutes to setup the device and reboot to start with the new configuration.

once rebooted, you can login to the operations console, you can access it using any web browser and browse to: :7072/operations-console">https://<IP Address>:7072/operations-console

once you login and to integrate with AD, you need to configure identity sources, to do so go to Manage Identity Sources .

Click on add new identity source

the add new identity source wizard opens, and it allows you to add your identity source, in our case we are using Microsoft Active Directory, enter the AD information including a dedicated username and password to connect and manage AD (in this lab I am using the administrator account please make sure to use a dedicated account in production environment), and click on test connection to verify your settings.

once successfully, you will be prompted with map wizard, this wizard will allow you to map AD attributes to AD (make sure not to include user base DN or Group base DN if you are adding a global catalog) confirm the attribute mapping and click next

now you will have your identity source configured

now you will login to the security console, and configure the realm,

now go to Realm management and create a new one for the AD or choose edit and include AD in the existing realm

now from the security console, you can go for token management and search for your tokens that you have imported you will find them in the console

now you can search for a user and assign the token to him

the final step is to install the RSA client on the machine the user will login (local machine or XenApp Server for example), once the client installed it will disable the AD password login and will require the user to login using the token, these settings can be set using GPO or registry.

Note: for some reasons the latest version of the client didn’t work with me so I used the previous version which worked great, but it requires registry editing to enforce RSA login GINA.

hope that this quick guide helped you out.