Article Number
000030778
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent
RSA Version/Condition: 8.x
Issue
SharePoint access works with RSA SecurID logon if initiated on the local Windows 2012 Server that hosts the SharePoint site, but not from anywhere else. Remote authentication to SharePoint through SecurID causes the authentication logon page to loop; in other words, as soon as the authentication is successful, control is passed from RSA to SharePoint, at which point SharePoint rejects the authentication with an access denied message or the message that you do not have access to this page. SharePoint then redirects the user back to RSA, which is the authentication page loop that we see.
RSA aceclient.log says AUTH_DONE, then builds the cookie that allows integration into SharePoint by UserID. But the redirect to SharePoint fails, originally we thought this possible because the cookie has bad or incorrect information (possibly time), or possibly because the IIS configuration has an Application Pool Identity Account that was a local account and not the Network Service Account.
Cause
The cookie passed to SharePoint contains the IP address, which only matches the IIS server host when a local browser is used
Resolution
To resolve this issue we need to enable the option Ignore Browser IP Address for Cookie Validation on the RSA authentication agent setup page for SharePoint site in IIS.
The following configuration will be documented in a future release of the
RSA Authentication Agent for Web Setup and Configuration Guide or in the release notes.
If the application pool of SharePoint 2013 is managed by other user (Identity) then the following steps needs to be completed.
- Go to the SharePoint 2013 Central Administrator Page.
- Open the Security page.
- Click on Configure service accounts under the General Security tab which will open the Service Accounts page. There you will find five SharePoint-related services in the list:
- Windows Service - Microsoft SharePoint Foundation Sandboxed Code Service
- Windows Service - SharePoint Server Search
- Web Application Pool - SharePoint - 80
- Service Application Pool - SharePoint Web Services Default
- Service Application Pool - SharePoint Web Services System
- Give privileges to the user which will change the Identity in Application Pools in IIS. To give privileges:
- If the user has not been registered in SharePoint, register by clicking Register new managed account.
- If user has already been registered then select the user from Select an account for this component for all the above mentioned services one by one.
- Save the configuration each time by clicking OK whenever you modify. Finally, verify all the above services have been modified as per suggestion.
- In the Connections pane of IIS Manager, double-click server_name, and click Sites > SharePoint_Site. Click RSA SecurID from the home page.
- Check the option to Ignore Browser IP Address for Cookie Validation.
- Restart IIS by running iisreset from a command prompt
For single-sign on:
- Perform all of the steps listed above.
- Access System32 > inetsrv > config > applicationHost.config.
- Search for the SecurIDHandler in the file and add the following entry after that line. The RSASinglesignon.dll can be found inside the WebAgent installation directory.
<add name="SecurIDSSOModule" image="PATH_TO_ RSASinglesignon.dll" />
- In the Connections pane of IIS Manager, double click server_name, and click Sites > SharePoint_Site.
- In the SharePoint_Site Home pane, double click Modules.
- In the Action pane, click Configure Native Modules and add the SecurIDSSOModule.
- In the Connections pane of IIS Manager, double click the server_name, and click Sites > SharePoint_Site >WebID.
- In the WebID Home pane, double click Modules.
- In the Actions pane, select the SecurIDSSOModule, and click Remove.
- Restart IIS by running iisreset from a command prompt