000021904 - OWA Single Sign-On (SSO) using SecurID is failing. Users are prompted for Windows password.

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000021904
Applies ToRSA Authentication Agent 5.3 for Web for Microsoft IIS
RSA ACE/Server 5.x
RSA Authentication Manager 6.0
Microsoft Windows Server 2003 Domain Controller (functional level raised to Windows 2003)
Microsoft Exchange Server 2003
RSA ACE/Agent is configured correctly according to the installation guide
Users are prompted for SecurID, then NTLM. If NTLM succeeds, users get their mailbox.
Netmon capture proves that no kerberos authentication is being passed from front end to back end
IssueOWA Single Sign-On (SSO) using SecurID is failing. Users are prompted for Windows password.
CauseIt is likely that the front end server is missing a required Microsoft hot fix. Without the hot fix, Single Sign-On (SSO) will never work. 
ResolutionTo correct this issue, install Windows 2003 Service Pack 1 on all domain controllers as described in Microsoft KB 841103.
Legacy Article IDa25638