000023534 - How to use RSA domain cookies on more than one host in RSA ACE/Server

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000023534
Applies ToRSA ACE/Agent for Windows
RSA ACE/Agent for Web
RSA ACE/Server
IssueHow to use RSA domain cookies on more than one host in RSA ACE/Server
MD5 checksum error
User wishes to use same RSA domain cookie from another host. User authenticates to a Microsoft IIS web server secured by RSA ACE/Agent for Web from their browser. User then contacts a proxy host which controls a secured resource. This service also requires authentication. Since the user has already authenticated through RSA ACE/Agent for Web, the cookie can be used as validation. To do this, the RSA cookie is sent to the proxy which uses it to request an http page from the IIS Server protected with RSA ACE/Agent for Web. If it gets an RSA Login page, the cookie is assumed to be invalid. However, the HTTP request is rejected every time by RSA ACE/Agent for Web, even though the browser on the users own machine can view pages without re-authentication.
CauseThe cookie created by RSA ACE/Agent for Web includes the IP of the web client (browser). Each time the RSA cookie is used by the proxy host, it will be rejected because the HTTP request is coming from a different originating IP than that detailed in the RSA cookie.
ResolutionTo allow cookies from other hosts, the following registry key must be added to the Microsoft Internet Information Services (IIS) web server host:
    HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\WebID\IgnoreBrowserIPAddress
The key has to added as a DWORD and is case sensitive. The value can be left at 0, since RSA ACE/Agent for Web only looks for the existence of the Key to ignore the IP.
Legacy Article IDa35

Attachments

    Outcomes