000029410 - Authentication Agent for Web for IIS 7.1.3 SSO not working with SharePoint 2010 through Threat Management Gateway (TMG), getting double logon prompt

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029410
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Web for IIS
RSA Version/Condition: 7.1.2 for IIS
Platform: Windows
Platform (Other): Microsoft Windows Server 2008 R2
 
IssueWe are trying to get the web agent version 7.1.3 working with SharePoint 2010 in combination with SSO. This is claimed to be fixed in version 7.1.3 of the web agent (Tracking number:AAIIS-1111) We did pre-configuration according to the the release notes of the agent with software version 7.1.3 and then configured the agent and SharePoint by following the instructions in the web agent installation and configuration guide This guide only contains at some point instructions for SharePoint 2007 and not for SharePoint 2010 but we configured SharePoint 2010 to achieve the same result. However, we are still unable to get this working. We still get a HTTP 403 Forbidden message. We are able to get the same succesfully working with Microsoft IIS
CauseDuring testing ATS saw that the cookie that the TMG uses epoch time, and when the epoch time was entered into an epoch time converter, the time was found to be 26 hours late, or old. Setting the time on the TMG server ahead by 26 hours allowed SSO to work with the web agent and SharePoint.
ResolutionFor the fix (from AAIIS-96 back in Web Agent 5.3) to take effect, define a string value called "Agent50CompatibleCookies" in the following registry key HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\RSAWebAgent.

Attachments

    Outcomes