000022708 - Error: 'HTTP/1.1 401 unauthorized' after SecurID authenticating to OWA

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022708
Applies To
Microsoft Outlook Web Access (OWA) using Single Sign-On (SSO)

RSA Authentication Agent 5.3 for Web for Microsoft IIS
Multiple back end exchange servers
Microsoft Exchange Server 2003 Service Pack 2
Windows 2003 Service Pack 1 running in 2003 native mode
IssueError: "HTTP/1.1 401 unauthorized" after SecurID authenticating to OWA
Users are able to access their mailbox if they go to a particular BE server, but if they go to another (possibly remote), they fail with error "HTTP/1.1 401 unauthorized"
CauseOur implementation of single sign-on (SSO) replies constrained delegation for the Exchange BE server to trust the Kerberos Authentication from the FE.  Without the proper delegation settings for each BE, the service will be denied access at the BE and you will get the error above.
ResolutionTo correct this issue, add delegation rights for each BE server from the FE. See task 1, page 52 of the RSA Authentication Agent 5.3 for Web for Microsoft IIS Installation and Configuration Guide for detailed instructions.
Legacy Article IDa29964

Attachments

    Outcomes