000030805 - RSA Authentication Agent 7.1 for Web for IIS 7.1.3 [167] installed on SharePoint 2013 won't open Microsoft Office files or PDFs

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030805
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: RSA SecurID Authentication Agent for Web for IIS 
RSA Version/Condition: 7.1.3 [172] and later
IssueMicrosoft Office 2010 documents and PDFs on SharePoint 2013 running on Microsoft Windows 2008 R2 Server cannot be managed.  When connected to Microsoft SharePoint and trying to open Microsoft files (Word, Excel, etc.) or PDFs, one of the following error messages displays:
  • Sorry, there was a problem and we can't open this PDF.  If this happens again, try opening the PDF in Microsoft Word.
  • Sorry, Word Web App ran into a problem opening this PDF.  To view this PDF please open it in Microsoft Word.
Word
Deep

 
CauseThese errors display for one of the following reasons:
1. Microsoft documents, such as Word docs and Excel spreadsheets need an IIS agent fix from Jira bug AAIIS-1240
2. Non-Microsoft files like PDFs need to be removed from the SharePoint office web app list
ResolutionTo correct this issue, install RSA Authentication Agent 7.1 for Web for IIS 7.1.3 build 172 (or higher) or request the hot fix that includes the update identified in AAIIS-1240 that corrects the issue of opening Microsoft files and PDFs.
Follow the detailed instructions in the ConfigurationInstructions.rtf, included below:

1.  Unpackage and apply the RSA SecurID Authentication Agent 7.1 for Web for IIS version 7.1.3 build 168 or later setup.exe to the currently installed web agent

  • To apply, stop the IIS Manager console.  For information on how to do this, please review the following Microsoft TechNet article.  
  • Double-click on the agent's setup.exe.  Internally, the setup.exe will determine if it is upgrading a current web agent installation or installing as a fresh new install.  If it runs as an upgrade, it will upgrade all binaries, but will preserve all configuration of the currently installed web agent.  The server will need a reboot after the upgrade.
2.  Configure the registry to prevent registration of RSAResponseInterceptorModule
  • From the IIS Manager, open the RSA SecurID configuration on the SharePoint - 80  Web Site.  
  • Uncheck the option to Enable RSA SecurID Web Access Authentication and click Apply.                          
  • Open the registry and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\RSAWebAgent.
  • In that hive create the following value:                   
Name:  PreventInterceptorModuleManagement
Value:  1          
Type:  REG_DWORD                                                  

3.  Further configuration:  Edit C:\inetpub\wwwroot\web.config                                                     


  •   Add or replace a reference to the "RSAResponseInterceptorModule," according to template:  
<configuration>
          <system.webServer>
              <modules>
                    <remove name="RSAResponseInterceptorModule"/>
              </modules>
           </system.webServer>
      </configuration>


web.config


  • Go back to the Web Agent Configuration Panel and re-enable the web agent.  
Protect Site

  • After re-enabling the agent, reset the Application Pool on the WebID folder to RSA SecurID Pool.
  • WebID
4. Running iisreset
  • After performing the above steps, open a command prompt.
  • Run the command iisreset to ensure that all configuration is taken.
5.  Open SharePoint to open Shared Documents.
WorkaroundPDFs need to be removed from the SharePoint Microsoft Office Web App list.
Notes

RSA Authentication Agent 7.1 for Web for IIS version 7.1.3 [172] or later resolves the issue.  This build is not yet available for download. Please contact RSA Customer Support to request a copy.
Other symptoms include a black screen, which happens if users try to access SharePoint after the cookie's expiration.  The user will need to close the browser to get around this.  It can be fixed with the 
PreventInterceptorModuleManagement registry setting, mentioned above.
The RSAResponseInterceptorModule is needed for Outlook Web Access (OWA), so do not use the PreventInterceptorModuleManagement setting on OWA web sites.  This setting is not needed by SharePoint and can degrade SharePoint performance, so it is good to enable the  PreventInterceptorModuleManagement option on SharePoint sites.


    Attachments

      Outcomes