- The RSA Authentication Agent for Web: IIS is configured to challenge users from AD groups.
- RSA SecurID is enabled on a certain website that requires login with a password. The same applies to OWA.
- The user browses to the page and authenticates successfully using RSA SecurID passcode.
- The redirection to the OWA page fails with the following error:
FORBIDDEN
Your client does not have permissions to get this URL from the server.
- The following error appeared in the IIS logs:
[3616] 12:23:08.542 File:.\WAModule.cpp Line:420 # Group Security is enabled; check group permissions
[3616] 12:23:08.542 File:.\WAModule.cpp Line:421 # First, get the physical file path associated with this request.
[3616] 12:23:08.542 File:.\WAModule.cpp Line:427 # checkGroupSecurity() -- szURLPath is: /
[3616] 12:23:08.542 File:.\WAModule.cpp Line:470 # checkGroupSecurity() -- Widechar physical path is: C:\COR\RSA
[3616] 12:23:08.542 File:.\WAModule.cpp Line:488 # checkGroupSecurity() -- szPhysicalPath is: C:\COR\RSA
[3616] 12:23:08.542 File:..\IISWebAgentIF.cpp Line:717 # Entering CIISAgentIFFilter:::HasGroupPermission()
[3616] 12:23:08.542 File:..\IISWebAgentIF.cpp Line:723 # Physical path :C:\COR\RSA
[3616] 12:23:08.558 File:..\IISWebAgentIF.cpp Line:761 # Allocating 164 bytes for file DACL
[3616] 12:23:08.558 File:..\IISWebAgentIF.cpp Line:812 # User has membership in the following groups:
[3616] 12:23:08.558 File:..\IISWebAgentIF.cpp Line:876 # Leaving CIISAgentIFFilter:::HasGroupPermission(), return code: -1
[3616] 12:23:08.558 File:..\IISWebAgentIF.cpp Line:619 # Entering IISWebAgentIF::SINGLE addHeader()
[3616] 12:23:08.558 File:..\IISWebAgentIF.cpp Line:620 # IISWebAgentIF::addHeader Expires: 0 Pragma: no-cache
Cache-control: no-store,no-cache,max-age=0,must-revalidate
[3616] 12:23:08.558 File:..\IISWebAgentIF.cpp Line:665 # Header content : 0 Header name :Expires
[3616] 12:23:08.558 File:..\IISWebAgentIF.cpp Line:665 # Header content : no-cache Header name :Pragma
[3616] 12:23:08.558 File:..\IISWebAgentIF.cpp Line:665 # Header content : no-store,no-cache,max-age=0,must-revalidate Header name :Cache-control
[3616] 12:23:08.558 File:..\IISWebAgentIF.cpp Line:683 # Leaving IISWebAgentIF::SINGLE addHeader()
[3616] 12:23:08.558 File:..\genhtml.cpp Line:843 # Entering GenHTMLText()
[3616] 12:23:08.558 File:..\genhtml.cpp Line:1281 # Entering LoadTemplate()
[3616] 12:23:08.558 File:..\genhtml.cpp Line:1331 # Entering GetLanguageTemplate()
[3616] 12:23:08.558 File:..\genhtml.cpp Line:1377 # Leaving ReadTemplate() : Error opening HTML template file (C:\Program Files\RSA Security\RSAWebAgent\templates\nls\en-US\style.css)
[3616] 12:23:08.558 File:..\genhtml.cpp Line:1426 # Entering GetDefaultTemplate()
[3616] 12:23:08.558 File:..\genhtml.cpp Line:1439 # GetDefaultTemplate(): pathLen: 61, path: C:\Program Files\RSA Security\RSAWebAgent\templates/style.css
[3616] 12:23:08.558 File:..\genhtml.cpp Line:1474 # GetDefaultTemplate(): Read file for cache reload of template
[3616] 12:23:08.558 File:..\genhtml.cpp Line:1499 # Entering ReadTemplate()
[3616] 12:23:08.558 File:..\genhtml.cpp Line:1526 # Leaving ReadTemplate(), success
[3616] 12:23:08.558 File:..\genhtml.cpp Line:1485 # GetDefaultTemplate(): Reloaded cache entry
[3616] 12:23:08.558 File:..\genhtml.cpp Line:1490 # Leaving GetDefaultTemplate(), template located
[3616] 12:23:08.558 File:..\genhtml.cpp Line:1314 # Leaving LoadTemplate(), got template style
[3616] 12:23:08.558 File:..\genhtml.cpp Line:1281 # Entering LoadTemplate()
[3616] 12:23:08.558 File:..\genhtml.cpp Line:1331 # Entering GetLanguageTemplate()
[3616] 12:23:08.558 File:..\genhtml.cpp Line:1377 # Leaving ReadTemplate() : Error opening HTML template file (C:\Program Files\RSA Security\RSAWebAgent\templates\nls\en-US\forbidden.htm)
[3616] 12:23:08.558 File:..\genhtml.cpp Line:1426 # Entering GetDefaultTemplate()
[3616] 12:23:08.558 File:..\genhtml.cpp Line:1439 # GetDefaultTemplate(): pathLen: 65, path: C:\Program Files\RSA Security\RSAWebAgent\templates/forbidden.htm
[3616] 12:23:08.574 File:..\genhtml.cpp Line:1474 # GetDefaultTemplate(): Read file for cache reload of template
[3616] 12:23:08.574 File:..\genhtml.cpp Line:1499 # Entering ReadTemplate()
[3616] 12:23:08.574 File:..\genhtml.cpp Line:1526 # Leaving ReadTemplate(), success
[3616] 12:23:08.574 File:..\genhtml.cpp Line:1485 # GetDefaultTemplate(): Reloaded cache entry
[3616] 12:23:08.574 File:..\genhtml.cpp Line:1490 # Leaving GetDefaultTemplate(), template located
[3616] 12:23:08.574 File:..\genhtml.cpp Line:1314 # Leaving LoadTemplate(), got template forbidden
[3616] 12:23:08.574 File:..\genhtml.cpp Line:902 # Leaving GenHTMLText()
The customer is using the AD groups challenge settings and the group security is enabled in IIS Manager (RSA SecurID for the website > Other settings).
Enabling Group Security is used when the users are added to a local group and configured in the default shell in RSA Authentication Manager.
This setting blocks the user from redirecting to the OWA page and displays the Forbidden template and the 403 error.
To resolve this redirection issue, disable the
Enable Group Security option as shown in the screenshot below:
Image description