RSA Authentication Agent for Web for IIS 7.1.3 SSO not working with SharePoint 2010 through Threat Management Gateway (TMG), getting double logon prompt
RSA Product Set: SecurID RSA Product/Service Type: Authentication Agent for Web for IIS RSA Version/Condition: 7.1.2, 7.1.3 for IIS Platform: Windows Platform (Other): Microsoft Windows Server 2008 R2
We are trying to get the web agent version 7.1.3 working with SharePoint 2010 in combination with SSO. This is claimed to be fixed in version 7.1.3 of the web agent (Tracking number:AAIIS-1111) We did pre-configuration according to the release notes of the agent with software version 7.1.3 and then configured the agent and SharePoint by following the instructions in the web agent installation and configuration guide This guide only contains at some point instructions for SharePoint 2007 and not for SharePoint 2010 but we configured SharePoint 2010 to achieve the same result. However, we are still unable to get this working. We still get an HTTP 403 Forbidden message. We are able to get the same successfully working with Microsoft IIS
The cookie that the TMG uses epoch time, and when the epoch time was entered into an epoch time converter, the time was found to be 26 hours late, or old. Setting the time on the TMG server ahead by 26 hours allowed SSO to work with the web agent and SharePoint.
For the fix (from AAIIS-96 back in Web Agent 5.3) to take effect, define a string value called "Agent50CompatibleCookies" in the following registry key HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\RSAWebAgent.