Article ID: 925165
Article Last Modified on 5/16/2007
APPLIES TO
- Microsoft Internet Security and Acceleration Server 2006 Standard Edition
- Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows registry
SYMPTOMS
You configure a Web listener for a publishing rule in Microsoft Internet Security and Acceleration (ISA) Server 2006. In this Web listener, you select the RSA SecurID option as the method that ISA Server 2006 uses to validate client credentials. After you do this, you experience the following symptoms:
- User authentication does not work.
- The following error message is logged in the Application log:
Note If you use the Sdtest.exe command-line tool to test authentication, authentication appears to work correctly.
CAUSE
This problem may occur if one or both of the following conditions are true:
- The computer that is running ISA Server has multiple network interfaces. Additionally, the PrimaryInterfaceIP registry entry does not contain the IP address that ISA Server uses to communicate with the RSA ACE/Server.
- The shared secret file is not stored in the correct location.
RESOLUTION
To troubleshoot this problem, follow these steps:
- If the computer that is running ISA Server has multiple network interfaces, verify that the PrimaryInterfaceIP registry entry contains the IP address of the network interface that ISA Server uses to communicate with the RSA ACE/Server. This registry entry is located in the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\AceClient\
- Verify that all the sessions that are connected to the published server by using the Web publishing rule are closed or disconnected.
- If you used the Sdtest.exe command-line tool to create the shared secret with the RSA ACE/Server, you must copy the shared secret file from the %windir%\System32\Sdconfig folder to the ISA Server installation folder's Sdconfig subfolder. For example, if ISA Server is installed in the %ProgramFiles%\Microsoft ISA Server folder, copy the shared secret file from the %windir%\System32\Sdconfig folder, and then paste it in the %ProgramFiles%\Microsoft ISA Server\Sdconfig folder.
- Stop and then restart the Microsoft Firewall service.
MORE INFORMATION
For more information about authentication support for the RSA SecurID option in ISA Server, visit the following Microsoft Web site:
Keywords: kbfirewall kbeventlog kbtshoot kbprb KB925165