The product page for RSA Authentication Agent for Microsoft AD FS says it is qualified on Server 2012 R2.
We have installed it on a 2016 server but encounter an error after username/password authentication. The message logged to the event log is: No style sheet is configured in the active theme for default locale [en-AU/3081]. The SAML response sent indicates a Responder error.
I've confirmed that disabling multi-factor authentication results in a successful response, so it does appear to be the RSA ADFS agent triggering this.
Just wanted to confirm that the RSA ADFS authentication agent (1.0.1) does not yet support ADFS 4.0/Server 2016 - and not that I've somehow messed up the installation.
Assuming that this just isn't supported yet, are there any plans to add support for ADFS 4.0?
We did do a pilot installation on 2012 R2 which appeared to work fine - it was on a separate domain without any tokens so we weren't able to test actually logging in with a token, but we did receive the RSA Securid token prompt after password authentication. We would prefer to use 2016 due to the increased customisation options for the sign-in pages... which appears to be exactly what the problem is.
For more information, the stack trace from the error suggests it is caused by trying to invoke the external authentication agent:
Microsoft.IdentityServer.Web.WebConfigurationException: No style sheet is configured in the active theme for default locale [en-AU/3081].
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
- Auth Agent
- Authentication Agent
- Community Thread
- Forum Thread
- RSA SecurID
- RSA SecurID Access
We have officially qualified the agent for Windows Server 2016. Please see notification here:
Kenn Min Chong (He/him/his)
Principal Product Manager
I can't help with your error but I can tell you I have successfully installed this agent on Windows 2016 (ADFS 4.0). I had it running in Production in 2012R2 and am now successfully running this in production using Windows 2016.
You can shoot me an email if you like and I can go over the details of our setup, if that helps.
Thanks for your response - that's quite interesting. I might try re-installing it a few times to see if I can get it working as well.
Would you mind answering a few quick questions about your install process, in case there's some specific sequence that works/doesn't work?
- Did you install the RSA ADFS agent before or after configuring ADFS itself?
- Have you customised the 'theme' at all, and if so are you using the default theme or a new one?
- Is your ADFS 4.0 brand new or upgraded/migrated from the 2012 R2 one?
Thank you for jumping in and offering to assist Paul Trimboli with his ADFS agent configuration.
That, ladies and gentlemen, is the RSA SecurID Suite community in action!
If you guys come up with anything that could be useful to the community, please be sure to post it here.
Hi Paul, great questions.
1. After. I got ADFS working and then installed the RSA ADFS agent.
2. No, I've never customized themes at all. Sorry I have no experience with editing the UI at all.
3. It's migrated from 2012R2. I had 2x 2012R2 servers in a farm, and then I added 2x 2016 servers. I installed the RSA agent on the new servers. About a week later I removed the 2012R2 servers, and then I upgraded the Farm Behaviour level.
Perhaps you could try deploying a brand new 2016 server, installing ADFS in a standalone farm, and seeing if the agent installs and works okay?
Thanks for those details.
Our install was on a brand-new single-server farm (being implemented specifically to provide SAML authentication to a third-party), so I'm wondering if perhaps the key is to install it in an existing ADFS 3 farm, and then upgrade it? That seems to be the only significant difference between our setups. Perhaps the upgrade process migrates the v3 forms to v4 format so it keeps working, but installing directly into a v4 farm means it's missing something.
Unfortunately we don't really have the time to try a whole bunch of scenarios - plus there doesn't seem to be any indication that Server 2016 is officially supported so it's a little too risky for us.
We'll look at migrating to Server 2016/ADFS 4 if the Securid agent becomes officially supported on that platform.
Thanks again for responding, perhaps this thread will be helpful for someone else.
Thanks, and it looks like we have a show-stopper for a customer's planned upgrade here. We need the RSA ADFS agent released/supported on Windows 2016 / ADFS 4. Please pass this on!
While we're at it, I have a need to use RSA SecurID as my MFA solution for AzureAD, when not using ADFS as the sign-in method. I.e., all of our users have RSA tokens today, and I don't want to switch away from this and start using Microsoft's MFA solution, but that seems the easiest/only MFA solution for AzureAD authentication. Is there a solution on the way for SecurID customers looking to use MFA and AzureAD for their applications?
It looks like we have open requests for enhancement for both of the things you ask.
AM-29759 for Authentication Manager support for Microsoft Azure and AAWIN-2366 for ADFS v4 for Windows 2016 support.
Please contact RSA support to open a case. This will add your company to the list of others asking for this functionality. The more cases linked to an RFE, the more likely product management is to add the feature.
Great to know, thanks B1fQpWp0Er9BI4ZmqBP9R2k0AFScN6CUsaPcsyfuRCQ= ! That really is the https://community.rsa.com/community/products/securid?sr=search&searchId=c78acfa8-5e3f-451c-b0f4-24494a281126&searchIndex=0 community in action.