000025899 - How to SecurID-protect OWA using single sign-on (SSO) when OWA is in a cluster

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000025899
Applies ToRSA Authentication Agent 5.3 for Web
Microsoft Windows Server 2003
Microsoft Exchange Server 2003
Microsoft Outlook Web Access (OWA)
Single Sign-On (SSO)
IssueHow to SecurID-protect OWA using single sign-on (SSO) when OWA is in a cluster
Users are be prompted for an Exchange authentication after the SecurID challenge. The authentication requests fail, even if the correct Windows password is used.
Error: "401 unauthorized" when trying to access mailboxes using Outlook Web Access (OWA)
CauseRSA Security's setup instructions refer to a basic OWA Exchange Front End / Back End configuration. In this case, the Front Ends are communicating directly to the Back End exchange servers. When the Back End Servers are in a cluster, the communication is from the Front Ends to one or more virtual servers.
ResolutionUsing Step 1 on page 52 of the RSA Authentication Agent 5.3 for Web Installation and Configuration Guide (file name: WebAgent_IIS.pdf), set up the Delegation rights to the Virtual Servers and verify that the Virtual Server have the proper SPN settings.

See Error: '401 unauthorized' when trying to access mailboxes through SecurID-/SSO-protected OWA for instructions to set SPN's.
Legacy Article IDa24750

Attachments

    Outcomes