Error 403 when connecting to a Web resource protected with RSA Web Agent

  • Article

Consider the following scenario:

1. You have an internal IIS website that you’d like to publish to the Web using ISA Server 2006.

2. You have installed RSA’s SecurID Web Agent into IIS on your internal website.

3. You have created a Web publishing rule to make the site available to external users.

4. The Authentication Method on the Web Listener may be set to any method available.

5. The Authentication Delegation type in the Web Publishing rule is set to “No Delegation, but client may authenticate directly”.

In this scenario, ISA Server is pre-authenticating the external client request. The client is then directed to the internal IIS server which prompts for RSA SecurID User ID and Passcode credentials.

With these conditions, you may experience the following symptoms:

1. The login form provided by RSA Web Agent is missing the “RSA SecurID” logo graphic. For example:

 

2. After entering valid SecurID User ID and Passcode credentials, the browser displays the following error:

The page cannot be displayed

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator.

You may experience this issue if the ISA Server 2006 Web publishing rule is not allowing anonymous access to the /webid/* path on the RSA Web Agent protected web site. During the authentication process with the internal IIS web site, the client sends request of the form /WebID/* to the Web server. If the client is unable to access this path, the request fails.

More information:

When RSA’s Web Agent software is installed in IIS, the IIS server becomes an RSA Agent Host. When you enable RSA Web Access Authentication in IIS, a virtual directory called WebID is created. This directory contains the IISWebAgentIF.dll filter which accepts the form data and communicates with the RSA Authentication Manager server. The client must have access to this path to successfully submit the form data entered in the SecurID login form.

To resolve this issue, edit the ISA Server 2006 Web Publishing rule and add /webid/* under the Paths tab.

 

Richard Barker

Senior Security Support Engineer