Microsoft KB Archive/925165

From BetaArchive Wiki
Knowledge Base


User authentication does not work after you select the RSA SecurID option in ISA Server 2006

Article ID: 925165

Article Last Modified on 5/16/2007



APPLIES TO

  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition



Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry


SYMPTOMS

You configure a Web listener for a publishing rule in Microsoft Internet Security and Acceleration (ISA) Server 2006. In this Web listener, you select the RSA SecurID option as the method that ISA Server 2006 uses to validate client credentials. After you do this, you experience the following symptoms:

  • User authentication does not work.
  • The following error message is logged in the Application log:

    Event Type: Error
    Event Source: ACECLIENT
    Event Category: (1)
    Event ID: 1001
    Date: date
    Time: time
    User: N/A
    Computer: ServerName
    Description: File not found: C:\Program Files\Microsoft ISA Server\SDCONFIG.
    Data: 0000: 00000000

Note If you use the Sdtest.exe command-line tool to test authentication, authentication appears to work correctly.

CAUSE

This problem may occur if one or both of the following conditions are true:

  • The computer that is running ISA Server has multiple network interfaces. Additionally, the PrimaryInterfaceIP registry entry does not contain the IP address that ISA Server uses to communicate with the RSA ACE/Server.
  • The shared secret file is not stored in the correct location.


RESOLUTION

To troubleshoot this problem, follow these steps:

  1. If the computer that is running ISA Server has multiple network interfaces, verify that the PrimaryInterfaceIP registry entry contains the IP address of the network interface that ISA Server uses to communicate with the RSA ACE/Server. This registry entry is located in the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\AceClient\

  2. Verify that all the sessions that are connected to the published server by using the Web publishing rule are closed or disconnected.
  3. If you used the Sdtest.exe command-line tool to create the shared secret with the RSA ACE/Server, you must copy the shared secret file from the %windir%\System32\Sdconfig folder to the ISA Server installation folder's Sdconfig subfolder. For example, if ISA Server is installed in the %ProgramFiles%\Microsoft ISA Server folder, copy the shared secret file from the %windir%\System32\Sdconfig folder, and then paste it in the %ProgramFiles%\Microsoft ISA Server\Sdconfig folder.
  4. Stop and then restart the Microsoft Firewall service.


MORE INFORMATION

For more information about authentication support for the RSA SecurID option in ISA Server, visit the following Microsoft Web site:

Keywords: kbfirewall kbeventlog kbtshoot kbprb KB925165