Article Number | 000032644 |
Applies To | RSA Product Set: SecurID RSA Product/Service Type: Authentication Agent for Web RSA Version/Condition: 7.1.2 for IIS Platform: Windows O/S Version: 2008 Server R2 Standard (64 bit) |
Issue | ADFS ver. 2.0 on Windows 2008 R2 can be protected with the IIS Web agent, not the newer AD FS agent ver. 1.0.1. 2-factor Authentication not working, when protect the Web Site then access; it gets this error

Server Error 500 - Internal server error. There is a problem with the resource you are looking for, and it cannot be displayed.
Also it gets this error.
 HTTP 500 error with MSIS7012 You may also see HTTP 401, HTTP 402, HTTP 403 or HTTP
|
Cause | Did not have the Windows Identity Foundation (WIF) API or SDK installed, so did not have WebID folder nor ClaimsAwareWebAppWithManagedSTS folder
 After installing WIF should see the following folders under Default Web Site;
\adfs\ls \ClaimsAwareWebAppWithManagedSTS and \WebID

|
Resolution | Install WIF following the AD FS 2.0 (AD FS 2.0 Step-by-Step Guide: Integration with RSA SecurID in the Extranet): Integration with RSA SecurID in the Extranet Step 1: Preconfiguration Tasks includes IP, DNS, SSL and Install WIF and Sample Application Step 2: Configure AD FS 2.0 Federation Server Proxy which includes Reconfigure DNS Step 3: Configure the Claims-Aware Application including how to Run the WIF Federation Utility - which appears to create the ClaimsAwareWebAppWithManagedSTS under the default site Step 4: Test the AD FS 2.0 Proxy Solution Step 5/6: Install/Configure RSA Authentication Agent for IIS web Step 7: Test RSA/AD FS 2.0 Proxy Solution https://technet.microsoft.com/en-us/library/hh344805(v=ws.10).aspx |
Workaround | If the ClaimsAwareWebAppWithManagedSTS Application does not show under the Default Web Site in IIS after installing WIF, you may have to manually add it.
 Browse to the Folder C:\Program Files(ver)\Windows Identity Foundation SDK\v(ver)\Samples\Quick Start\ClaimsAwareWebAppWithManagedSTS
 Once the Application is added, you can follow the Implementation Guide to edit the Advanced Settings - Application Pool and change it to ADFS
 One other thing, we saw Node Secret Mismatch with ADFS 2.0 protected Office 365 when Web Mail was accessed, even though the IIS Web Agent v. 8.0 RSA Authentication Agent Test Authentication was successful. We fixed this with permissions; 1. Copied (not Moved!) node secret file securid and sdconf.rec from the RSA Agent directory to C:\Windows\System32 2. on the Properties of both copies of this securID file, we added Authenticated Users, and gave then both Read and Read And Execute Permissions |
Notes | AD FS ver. 3.0 runs on Windows 2012 R2 and can be protected with the new RSA ADFS agent, currently ver. 1.0.1 as of Feb. 2016 Download the Microsoft Windows Identity Federation SDK here. https://www.microsoft.com/en-us/download/details.aspx?id=4451 AD FS 2.0 Federation with a WIF https://technet.microsoft.com/en-us/library/adfs2-federation-wif-application-step-by-step-guide(v=ws.10).aspx |