000024920 - Cannot use Microsoft FrontPage and Visual InterDev web editors if RSA ACE/Agent for Web is enabled

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024920
Applies ToRSA ACE/Agent for Web
RSA ACE/Agent for Windows
Microsoft Windows NT 4.0
Microsoft Internet Information Server (IIS) 4.0
Microsoft Visual InterDev
Microsoft FrontPage
IssueCannot use Microsoft FrontPage and Visual InterDev web editors if RSA ACE/Agent for Web is enabled
CauseIf a Microsoft Internet Information Services (IIS) web site is protected by RSA ACE/Agent for Web, there will be issues using web authoring tools such as FrontPage. The reason is that where the editing utilities are very good at coping with the visual construction of HTML, do not actually cope with the full range of HTTP functionality.

An easy example can be seen if you start up Internet Explorer 4.0 on a PC and browse to a service protected with RSA ACE/Agent for Web. Your first connection will talk to an ISAPI filter, which determines that you have not transmitted a cookie that it expected. A SecurID challenge is issued, and you are asked to enter a Username and PASSCODE. If this authentication is successful, then you receive an RSA cookie (for more information on cookies, see http://home.netscape.com/newsref/std/cookie_spec.html). If you access any pages on the web server, the cookie that you have will get transmitted as part of the standard HTTP protocol. If you then create more browser windows by doing "File | New | Windows", each of the new windows correctly obtains (or has access to) a copy of the RSA cookie and will also send it within the HTTP protocol.

If you click Edit and launch FrontPage, one of two things happens. Either Internet Explorer 4.0 fails to give FrontPage a copy of the cookie, or FrontPage is not designed to be able to cope with cookies within its understanding of HTTP. What happens is that it launches a connection to the web server without a cookie, and therefore will receive the web server challenge. In this scenario what will happen is that you will appear to have been given the ability to edit the "Enter PASSCODE" page.  Needless to say you would not be able to save the page back onto the web site.

Two articles on the Microsoft web site relate to this issue:

1. "Q152197 FP1:Authentication Scheme (NTLM) Not Supported Error" and "Q142868 IIS: Authentication & Security Features"

2. The second of the two articles advises that "If you need a WWW request authentication scheme not supported by the service directly, obtain a copy of the Internet Server API (ISAPI) Software Developer's Kit (SDK), and read the ISAPI Filters specification on how to develop user-written ISAPI Filter DLLs that handle request authentication." However, that is exactly what is being used by RSA ACE/Agent for Web. It is likely that FrontPage would have to be modified to correctly cope with non-default authentication schemes.

Visual InterDev from Microsoft also uses the Front page extensions and hence does not function when RSA ACE/Agent for Web is enabled.
ResolutionThe possible workaround is to copy the pages (to be edited) to an unprotected area and complete the editing and put them back on protected web server.

NOTE: This restriction is not limited to RSA SecurID alone. Any Internet security that uses cookies will hit the same limitation in FrontPage. Similar issues have been found by the customers attempting to update pages through firewalls.
Legacy Article ID6.0.1316041.2738340

Attachments

    Outcomes