One of the questions I consistently get asked during conferences is: “Does ActiveSync support RSA SecurID?”. This is a two-part answer. The short answer is “Yes, Windows Mobile and Exchange ActiveSync support SecurID”. The second part is: “But, the experience on the device is really not that good…especially if you have Scheduled Sync or DirectPush enabled”.
Let me briefly elaborate on that. The key point is that if you have SecurID enabled when the device issues a request to the server it will be challenged to enter the SecurID. From the user perspective this is a familiar form where you can just type in the SecurID, click OK and the device can sync. This is a somewhat ok experience if you manually sync every once in a while. But, if you have DirectPush you are pretty much challenged to enter the SecurID token every time you get an email…you get the point: it really becomes extremely annoying for users. Who would want to enter the SecurID token for every email?
The GREAT news is that our friends at RSA have notified us that they have a fix to improve the end-user experience and still get the SecurID benefits. In their latest RSA Web Agent update there is a new feature that allows ActiveSync sessions to be “cached” for an admin-chosen number of hours. This is better explained by an extract from RSA:
“RSA Authentication Agent 5.3 for Web for IIS enables you to use Microsoft Outlook Web Access ActiveSync without having to reauthenticate every time ActiveSync is invoked. When you invoke ActiveSync by clicking Sync on the Pocket PC, the Agent provides a one-time authentication window for ActiveSync that is valid for a default of 15 minutes. This default time setting matches the default time setting of Cookies Always Expire After the Specified Time. If you extend the duration of the browser session cookie by changing the value in the Cookies Always Expire After the Specified Time field on the Agent tab of the IIS configuration panel, you extend the one-time authentication window for ActiveSync to the same number of minutes. You can further extend the ActiveSync time window to remain valid beyond the maximum time duration of the browser session cookie by adding an entry to the registry.
To extend the ActiveSync time window:
- On the protected web server, log on as Administrator.
- Click Start > Run and in the Run dialog box, enter regedit.
- In the Registry Editor, click HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\RSAWebAgent.
- In the right pane of the Registry Editor window, right-click, and then click New > DWORD Value.
- For the new value name, enter ActiveSyncWindowExtension = <number of minutes>, where <number of minutes> is the number of minutes that you want the ActiveSync time window to remain open.
The maximum number of minutes is 1440 (one day).
You can find more info on the RSA web site or if you are an RSA customer you can call their support line.
This is truly great news!