none
UAG and RSA SecureID RRS feed

  • Question

  • I have UAG RC0 loaded in our lab and think it is a great product!  We use RSA SecurID for 2-factoring remote access solutions and although it is integrated into UAG and listed by default as an authentication method, RSA does not have a Windows Server 2008 R2 client available and won't until late next year (2010!!).  As you know, when you choose RSA SecurID as an authentication method for a Trunk, it instructs you to load the RSA client that doesn’t exist.  Unfortunately, that rules out UAG for us until that client is released and we were hoping to go live with it as soon as it goes RTM.  I thought other people would be complaining since RSA is popular, but I'm finding very little about this on the Internet.  I thought about using IAG as an interim solution, but it does not support x64 clients. 

    Is there anywhere on Microsoft's website that gives a definite date when RSA will work with UAG?




    Wednesday, September 30, 2009 7:01 PM

Answers

  • Would you be able to integrate to the RSA server using LDAP instead of using their client?

    Meir :->
    Meir Mendelovich, Sr. Program Manager, Microsoft Forefront - IAG/UAG Product Group
    Team Blog: http://blogs.technet.com/edgeaccessblog/
    Anything you can do, I can do anywhere!
    • Marked as answer by Erez Benari Thursday, October 1, 2009 5:02 PM
    Thursday, October 1, 2009 5:36 AM

All replies

  • Would you be able to integrate to the RSA server using LDAP instead of using their client?

    Meir :->
    Meir Mendelovich, Sr. Program Manager, Microsoft Forefront - IAG/UAG Product Group
    Team Blog: http://blogs.technet.com/edgeaccessblog/
    Anything you can do, I can do anywhere!
    • Marked as answer by Erez Benari Thursday, October 1, 2009 5:02 PM
    Thursday, October 1, 2009 5:36 AM
  • Or configure UAG using the radius repository.   Most all RSA versions I've worked with allow RSA server to accept connections from radius clients as if its a radius server.
    Friday, October 2, 2009 1:42 AM
  • Hi Fritz,

    Our intention is to provide RSA client on the UAG machine before its release so UAG authentication provider for RSA SecureID will not require any installation of RSA code.
    Meanwhile, you can use LDAP/RADIUS to connect to the RSA server that is installed on another machine that is not Windows Server 2008 R2.

    Thanks,
           Meir :->
    Meir Mendelovich, Sr. Program Manager, Microsoft Forefront - IAG/UAG Product Group
    Team Blog: http://blogs.technet.com/edgeaccessblog/
    Anything you can do, I can do anywhere!
    Monday, October 5, 2009 9:45 AM
  • Did this make it to RTM? Is doesn't seem to be inlcuded with RTM eval - did I miss it?

    Cheers

    JJ
    Jason Jones | Forefront MVP | Silversands Ltd
    Monday, January 11, 2010 1:18 PM
    Moderator
  • I have the same question, as my first customer UAG evaluation needs to integrate with RSA.   Probably going to be problematic to configure UAG as radius client talking to RSA via radius, as then new pin mode and next tokencode may not work properly.   Beyond the first phase of testing, I'm either going to need a Windows 2008 R2 version of RSA client from RSA (which doesn't exist yet) or need Microsoft to let me know when their built-in RSA integration which doesn't require an RSA agent is planned for release?

    Thanks,
    Mark
    Monday, January 11, 2010 9:15 PM
  • It'd be nice also if DirectAccess would also be covered by the same level of authentication that the UAG provides.. right now I'm limited to username/password and smartcard and I notice that from documentation on Technet that tweaking TMG for the benefit of giving UAG a helping hand for things such as RADIUS / OTP authentication is not officially supported, so that's a no-no for production scenarios.

    Regards,
    Mylo
    Monday, January 11, 2010 10:22 PM
  • Hi,

    To answer Jason's and Mark's questions: yes, support for RSA is definitely included in the RTM version of UAG.

     

    And no, an RSA client is not required to be installed on the UAG box in order for UAG’s RSA authentication to function, since UAG uses an RSA API DLL for this.

     

    As a quick tip in case RSA authentication does not work for you: make sure you have copied the sdconf.rec file to the UAG box.

     

    Regards,

    -Ran

    • Proposed as answer by Mark Resnik Tuesday, January 12, 2010 2:36 PM
    Tuesday, January 12, 2010 9:37 AM
  • Awesome, Thanks Ran.   I won;t be configuring it during my eval, but definitely will for the production implementation.

    Thanks again,
    Mark
    Tuesday, January 12, 2010 2:36 PM
  • Hi,

    To answer Jason's and Mark's questions: yes, support for RSA is definitely included in the RTM version of UAG.

     

    And no, an RSA client is not required to be installed on the UAG box in order for UAG’s RSA authentication to function, since UAG uses an RSA API DLL for this.

     

    As a quick tip in case RSA authentication does not work for you: make sure you have copied the sdconf.rec file to the UAG box.

     

    Regards,

    -Ran


    Cool, good news - I assume this goes into Windows\System32?

    If not where else?
    Jason Jones | Forefront MVP | Silversands Ltd
    Monday, January 25, 2010 5:11 PM
    Moderator
  • It'd be nice also if DirectAccess would also be covered by the same level of authentication that the UAG provides.. right now I'm limited to username/password and smartcard and I notice that from documentation on Technet that tweaking TMG for the benefit of giving UAG a helping hand for things such as RADIUS / OTP authentication is not officially supported, so that's a no-no for production scenarios.

    Regards,
    Mylo

    Q.  I use a security token as my second authentication factor today. Can that be used with DirectAccess?

    A.  

    To enforce multi-factor credentials for intranet access, DirectAccess requires the Active Directory domain controller to mark the Kerberos token with a Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) indicator. Other two-factor authentication methods that are used for traditional VPN connections, such as using an RSA Secure ID token, do not perform an Active Directory-based authentication with PKINIT and cannot be used for DirectAccess multi-factor authentication.

    Source: http://www.microsoft.com/windowsserver2008/en/us/directaccess-faq.aspx

    Good news if you provide MS PKI consultancy though ;)


    Jason Jones | Forefront MVP | Silversands Ltd
    Monday, January 25, 2010 5:36 PM
    Moderator
  • Hi Jason,

    yes, the sdconf.rec file should be placed in the Windows\System32 folder, indeed.

     

    BTW, please note that currently, when you configure an authentication repository for RSA SecurID in UAG RTM, you will get an error message claiming that you either do not have the ACE client installed or do not have connectivity to the RSA server.

     

    The statement if this message about not having the ACE client installed is a left-over since the IAG days, since, as I’ve already explained, UAG does not require such a client.

     

    The statement in this message about not having connectivity to RSA server is correct, since at the time this message is issued, TMG is still blocking access from the UAG server to the RSA server.

     

    However you can safely ignore this message and click ‘Yes’ in order to continue and finish the configuration of the RSA SecurID authentication server and then activate the configuration. Once the UAG configuration is activated, a relevant TMG rule is created to allow access to the RSA SecurID server and your authentication should work as expected.

     

    We will fix this error message in an upcoming release.

     

    -Ran

     

    Tuesday, January 26, 2010 9:44 AM
  • Excellent, I can live with that as long as though it works...

    I assumed I would have to enable the TMG system policy for RSA, but nice to see it automated :)

    Thanks for the info...

    Do you happen to know if any of the old 'sdtest' utilities work on Win2k8R2? I can try, but just curious...

    Cheers

    JJ
    Jason Jones | Forefront MVP | Silversands Ltd
    Tuesday, January 26, 2010 1:38 PM
    Moderator
  • Until this gets fixed, I thought the following blog entry might be useful...

    http://blog.msedge.org.uk/2010/01/enabling-rsa-securid-authentication-in.html

    Cheers

    JJ

    Jason Jones | Forefront MVP | Silversands Ltd
    Wednesday, January 27, 2010 4:46 PM
    Moderator
  • I tried following the steps from the blog and can't get it working.  Does this work on the release version of UAG?
    Wednesday, June 29, 2011 1:14 PM