I'm trying to configure single-sign-on for Exchange 2016 OWA and ECP. I'd like to have the user enter the RSA token and immediately logon to the server without also requiring the password.
Windows Server 2012R2 (with .NET 3.5)
Exchange 2016 (15.1, Build 1591.10)
RSA Authentication Manager 8.3 (1 replica partner)
RSA Web Agent for IIS 8.0.2
Currently, logging on to OWA and ECP prompts for both the token and password. I've followed the document "RSA Authentication Agent 8.0 for Web for IIS 7.5, 8.0, 8.5, and 10 Installation and Configuration Guide, Revision 2", starting on page 93 "Prepare to Set Up SSO Access".
I followed the instructions for “Configure Outlook Web App (OWA) and WebID for Anonymous Access in Microsoft Exchange Server 2013 or 2016” and “Enable Single Sign-On in Microsoft Exchange Server 2013 or 2016” and “Verify Application Pool Settings in Microsoft Exchange Server 2013 or 2016”. Unfortunately, when I follow these, I get an HTTP 500 error when I use my administrator account for OWA or ECP. My non-administrator account is able to logon to OWA.
I tried the Optional steps under “Verify Application Pool Settings in Microsoft Exchange Server 2013 or 2016”, adding an administrator account to the Identity “RSA SecurID Pool” under Application Pools, but then I wasn’t even able to get to the RSA logon screen. I got an error “Service Unavailable: HTTP Error 503. The service is unavailable.” I also tried adding the same administrator account to the Identity in “RSA SecurID Pool32”.
It's fine (actually preferable) to have users be able to access OWA with SSO, but not administrators. A number of times during my attempts to get this working users have been able to access OWA with SSO, but administrators get an error when accessing OWA or ECP.
I've opened a support case with RSA, but the person I'm working with hasn't been able to get this working either. Any suggestions on how to get this working?