000025723 - How to enable RSA SecurID protection on Microsoft Outlook Web Access (OWA)  Exchange ActiveSync (EAS)  and Microsoft Outlook Mobile Access (OMA) on the same server

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025723
Applies ToNOTE: THIS SOLUTION IS UNSUPPORTED , UNTESTED, and is NOT A QUALIFIED configuration.  This article is available only for customer convenience, as RSA Security cannot provide ANY support with this configuration.
RSA Authentication Manager 6.0
Microsoft Exchange Server 2003
RSA Authentication Agent 5.3 for Web
Microsoft Outlook Web Access (OWA)
Microsoft Exchange ActiveSync (EAS)
Microsoft Outlook Mobile Access (OMA)
Out of the box, RSA SecurID protection works with Microsoft Outlook Web Access (OWA) or with Exchange ActiveSync (EAS), but not both. As soon as the Exchange folder is protected, EAS stops working. Outlook Mobile Access (OMA) does not work at all if SecurID is enabled, unless the "Disable IIS Server If Agent Fails to Load" in unselected**. 
Active Sync
IssueHow to enable RSA SecurID protection on Microsoft Outlook Web Access (OWA), Exchange ActiveSync (EAS), and Microsoft Outlook Mobile Access (OMA) on the same server
ResolutionThe information below is based on Microsoft knowledgebase article KB817379. NOTE: This article describes a workaround only. The solution has not been through RSA Security QA, and should not be considered as a supported solution, as RSA Security cannot provide support for this.
1. Enable RSA SecurID protection for exchange and public folders. At this point, Microsoft Outlook Web Access (OWA) is successfully protected, but of course Exchange ActiveSync (EAS) breaks due to the known problem (Exchange protected with SecurID).
2. Right click the Exchange folder in IIS > All Tasks > Save configuration to file. Save the configuration somewhere.
3. Right click the default web site > New > Virtual Directory (from file). Browse to file created above, select "read file", select location, then click OK. IIS will tell you that the virtual folder already exists, so in the Alias box, type "exchange-eas" and click OK.
4. Confirm that the new folder "exchange-eas" exists in the web site, then confirm that the only authentication methods enabled for this folder are integrated and basic (and not SecurID)
5. Using regedit locate the subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MasSync\Parameters. Right click parameters > New > String Value. Name this value "ExchangeVDir" (this is case sensitive).
6. Right click ExchangeVDir and click Modify. In the Value box, enter /exchange-eas.
7. Make sure that only the following authentication methods are enabled, and then click OK:
- Integrated Windows authentication
- Basic authentication
8. Under IP address and domain name restrictions, click Edit
9. Click Denied Access, click Add, click Single computer, type the IP address of the server that you are configuring, and then click OK
10. Under Secure communications, click Edit. Make sure that Require secure channel (SSL) is not enabled, and then click OK.
11. Restart IIS Admin service
IMPORTANT: Deselecting the "Disable IIS Server If Agent Fails to Load" option will reduce the security of the server
Additional Information about OWA, OMA, and EAS
- OWA has the option for forms-based authentication method. If this is enabled on a backend server, the ?Exchange? directory will be automatically configured for Basic authentication only, and only SSL will be recommended. OWA frontend servers, OMA and EAS all require ?Integrated? authentication and no SSL on the ?Exchange? directory, and hence will fail to work when forms-based authentication is enabled in this way.
- The OMA application creates its WebDAV and content requests without the host-header from the original client requests. As a result, only one HTTP virtual server configured with no host headers on port 80 can pick up these requests. Therefore, OMA can only support one configured SMTP domain.
- EAS uses a different mechanism for handling requests than does OWA and OMA. That difference makes handling multiple SMTP domains very awkward if EAS is left in its default configuration state. The workaround involves tricky registry editing, and prevents EAS from working with more than one SMTP domain.
- Prior to SP1 for Exchange 2003, virtual directories and servers for OWA would only be accessible to users who had an email address in the SMTP domain configured for that virtual directory or server. This may have been useful to control access on a hosted Exchange system, but with SP1 Microsoft have removed this restriction anyway.


Where services are not all installed on the same machine then standard document for the RSA Authentication Agent 5.3 for Web applies in that RSA Authentication Agent 5.3 is qualified to run on Microsoft Exchange Server 2003 ActiveSync and full details of the qualified configuration are in the standard RSA Authentication Agent 5.3 documentation, SecurCare Online copies are available at RSA Authentication Agent 5.3 for Web for Microsoft Internet Information Services Installation and Configuration Guide 

As additional, historical, information the original implementation guide at http://rsasecurity.agora.com/rsasecured/guides/imp_pdfs/Microsoft_ActiveSync_ACE5.pdf might be useful as background material but remember that the newer 5.3 documentation does supercede this.

Legacy Article IDa28344