000021562 - Microsoft Internet Information Services (IIS) hangs rather than showing the 'Forbidden' page when using group security with SSL

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021562
Applies ToMicrosoft Internet Information Services (IIS) 6.0 on Microsoft Windows Server 2003
Microsoft Internet Information Services (IIS) 5.0 on Microsoft Windows 2000
RSA ACE/Agent 5.2 for Web
Microsoft Internet Information Services (IIS) group security
Secure Socket Layer (SSL)
IssueMicrosoft Internet Information Services (IIS) hangs rather than showing the "Forbidden" page when using group security with SSL
After authenticating to RSA SecurID, the web browser hangs if user does not have group access
The "Forbidden" page is not displayed in web browser
ResolutionThis issue is resolved in a hot fix for RSA ACE/Agent 5.2 for Web. Contact RSA Security Customer Support to request the hot fix to defect tst42252. Review the provided Readme file for installation instructions.
The checkbox for ?Enable Group Security? is used to work as a blend of Microsoft Windows security and RSA SecurID.  The notes below give a rough picture as to how this feature worksd.  Note that different versions of AGE/Agent for web may have minor differences and in all instances just use these notes ans a general guide with teh fgormal documentation for your specific version giving the exact information.
If you imagine a standard IIS system without SecurID and you have a series of folders owned by different departments (say "sales", "marketing", finance") then the usual Windows approach would be to create three Windows groups, put users in the groups and then set file permissions on the folders and groups accordingly.  Then when users try to access the pages they get a Microsoft Windows authentication and they would provide their Microsoft credentials.
This has two drawbacks, firstly you are having to create users in Windows secondly and secondly from an RSA perspective we would say that passwords may be weak and risky if used for web access of this nature where two factor authentication with tokens is a recgnised improvement to this form of security.
Engineers at RSA were asked if they could address these two issues so working with standard Microsoft design principals the ?Enable Group Security? feature was devised.  The way it works is as follows:
1.  Create Windows groups called "finance"
2.  Put standard Windows permissions on a folder and only allow access from the Window group "finance"
3.  Check the ?Enable Group Security? feature.
*** At this point if you try to access the new pages you will be blocked (even after a SecurID authentication) - just like you would want - the trick now is to be able to tell the web server that the SecurID user is in the group "finance" ...
4.  Go to the ACE/Server  (or Authentication Manager) and edit your user and put the word "finance" in the SHELL field for the user
5.  Now re-test
What happens is that IIS accepts that you have an HTTP user (say "testuser") but all data access is managed via the system ID of "IUSR_<machinename>".  What actually happens is that IIS gives an "effective Group ID" of "finance" to the session and hence allows access to the pages with Windows permissions.
What is very important to know is the groups have nothing to do with the SecurID groups in the ACE/Server but are the names of Microsoft Windows groups.
Legacy Article IDa23653