|Applies To||RSA Product Set: Archer|
RSA Product/Service Type: RSA Archer (On-Premise)
RSA Version/Condition: 6.X
|Issue||When Windows Authentication is enabled the following issues are observed:|
Steps to confirm you are impacted by this issue are below:
This behavior is caused by a setting within Windows pertaining to Microsoft Internet Explorer in combination with different authentication mechanisms across different portions of the RSA Archer web application. It will be seen in any part of 6.x which has been modernized from using Silverlight. The behavior will affect anyone who is using Internet Explorer 11 as their main browser for end-user pages, and who simultaneously has enabled Windows Authentication on IIS. These pages are affected because they are rendered in the UI (which is served from a WinAuth endpoint) but retrieve their data via a call to the RESTful API, (which is behind an Anonymous endpoint).
Investigations continue into enhancements in the RESTful API that will render the condition which causes this behavior obsolete. This will be addressed at a later time.
There is a range of alternative options available to customers who are affected by this behavior. Anyone of these approaches will address the behavior and cause the problem to be resolved. RSA recommends each customer individually assess the four options listed and determine a suitable approach.
Workaround 2: Encourage non-admin users to use a different supported browser such as Chrome in place of Internet Explorer 11. While, obviously, admins will still need Internet Explorer to access Silverlight based pages, most users do not need access to these pages. For these users, if corporate policies permit different browsers, this may be an appropriate resolution to this issue.
Workaround 3: Enable Kerberos on the Archer Web Server(s) (See: https://support.microsoft.com/en-us/help/929650/how-to-use-spns-when-you-configure-web-applications-that-are-hosted-on for instructions). If this setting is changed, the problem will not reoccur as the place the issue is coming from is in the client-server handshake and Kerberos manages this in a different way. This option will resolve the issue for customers whose users are hitting the RSA Archer environment within the bounds of their network, and where there is network connectivity to a Domain Controller.
Workaround 4: Contrary to the instructions in the Installation Guide, Windows Authentication may be enabled on the ArcherAPI site in IIS. This issue will no longer be present and the RSA Archer web application will continue to work correctly.
RSA appreciates that these four workarounds will suit different customers to different degrees. Between them, they provide a range of options to allow the issue to be overcome."