Publish OWA w/SecurID - Node Verification Failed (Full Version)

All Forums >> [ISA 2006 Publishing] >> Exchange Publishing



Message

jerrice -> Publish OWA w/SecurID - Node Verification Failed (14.Nov.2006 10:39:41 PM)

Hi there...  I hope someone has some ideas on this, as it's been driving us nuts for a while now.  We have ISA 2006 Ent. set up, and are trying to publish Exchange 2003 OWA w/SecurID 6.1.  The ISA server has VPN and Local Authentication set up and running fine (so that would be the Local and Remote clients).  I've set up the OWA publishing rule and listener, and am getting the correct log-in screen (the 3 parter with user name, passcode, and password requested).  When I try to log in, I get an Access Denied error back from ISA, and the RSA server shows the following in the log:
11/15/2006 03:25:39U ----------/isaserver.domain.corp     ---->
11/14/2006 19:25:29L  Node verification failed                   rsaserver.domain.corp

The node is behaving correctly for local logins, and for VPN, so I suspect the node secret is fine.  I have tried clearing and re-instating it, but it did not help.  To set up OWA, I used the page at http://www.trustedaccess.info/.  I've got the published server running fine with the web agent, and I'm able to access that internally.

Any thoughts?



jerrice -> RE: Publish OWA w/SecurID - Node Verification Failed (15.Nov.2006 2:06:42 PM)

Ok, I got this figured out.  I'll document it in case someone else runs into it.  Apparently, ISA doesn't pick up the new node verification unless you reboot the server, even if the other verifications (for VPN, local access) are working.  Re-starting ISA didn't fix the problem, I had to actually reboot the server.



shan.lee -> RE: Publish OWA w/SecurID - Node Verification Failed (1.Feb.2007 8:33:14 PM)

I'm having this exact same problem, but a restart hasn't helped.

I've even completely ripped out all the securid stuff I could find , removed the entry from the ACE server and started again, and ended up right back at the same point.

If I log onto the ISA server and use SDTEST, it authenticated fine. Go into the listener, tick the 'collect additional information' box, select securid, apply changes, restart firewall service and/or reboot, SDTEST still works fine, OWA gives me error 100 indicating the ACE server refused me, and the ACE log shows a node verification failure.

I'm stumped.

P.S. I have OWA, Activesync and RPC/HTTP all on this listener if that matters.



Darkstarr13 -> RE: Publish OWA w/SecurID - Node Verification Failed (2.Mar.2007 9:32:19 AM)

___________________ ISA - remove all SDCONF.REC (either in C:\windows\system32 and/or c:\program files\Microsoft ISA server\sdconfig) - remove all SECURID files (either in C:\windows\system32 and/or c:\program files\Microsoft ISA server\sdconfig), not necessarily on the system - remove file sdstatus.12 (c:\program files\Microsoft ISA server\sdconfig) - ensure, that if there is a sdopts.rec, that is ONLY contains a line "CLIENT_IP=xx.xx.xx.xx", nothing else
- reboot ISA ACE - edit agent host and ensure that node secret is unchecked, if not correct it   Go to Internet, start browser and do first authentication to the ISA. File SECURID should now be created in c:\program files\Microsoft ISA server\sdconfig, along with sdstatus.rec   (the test authentication tool was not used and will create node secret in a different folder than ISA expects) ___________________ That worked for me.
By the way: I troubleshooted the location of the SDOPTS.REC, SECURID and SDCONF.REC with FILEMON from Sysinternals (filter to process wspsrv.exe). Ín conjunction with the event log on ISA it gives you all the locations. At some point in the log you will see a CREATE of the SECURID file.



Zabulon -> RE: Publish OWA w/SecurID - Node Verification Failed (5.Apr.2007 10:26:05 AM)

I am recieving the same 'Node verification failed' error on my ISA 2006 box.  I tried removing the sdconf.rec, etc and rebooting but it did not resolve my issue.  I can successfully authenticate with the RSA test tool but get the Error:









100: Access denied. RSA ACE/Server rejected the passcode that you supplied. Try again with a valid passcode.
when trying to loing through OWA.

Any help would be appreciated!



shan.lee -> RE: Publish OWA w/SecurID - Node Verification Failed (9.Apr.2007 5:50:43 PM)

Darkstarrs post is spot on, but I somehow managed to have all my files created in \system32. I manually copied them across to the sdconfig folder and it worked.



jerrice -> RE: Publish OWA w/SecurID - Node Verification Failed (13.Apr.2007 5:46:24 PM)

One thing I just noticed after my OWA stopped working again:
On my ISA server that SECURID file didn't seem to get created in the C:\Program Files\Microsoft ISA Server\sdconfig directory.  I had to manually copy it from C:\Windows\System32.  Once I did that, with no restarts or anything, OWA started working with RSA correctly again.



Zabulon -> RE: Publish OWA w/SecurID - Node Verification Failed (16.Apr.2007 11:22:05 AM)

Thanks guys for the input... I found the isue:

I was running my sdtest.exe from the \system32 folder not from the \ISA folder.

Once i ran it from there it created the files I needed then I manually copied them into the \ISA folder\sdconfig and it worked like a charm!  [:)]

Thanks for all the input



TCalixto -> RE: Publish OWA w/SecurID - Node Verification Failed (9.May2007 5:02:28 AM)

Jerrice,

The RSA authentication server and the host agent (ISA Server) exchange encrypted information when they connect for the very first time.

Now, here is the catch: by sucessfully connect the host agent to the RSA Auth. Serv. with the SDTEST tool a node secret will be created between them.This encrypted information is not the same that will be used by the ISA Server API when connecting to the RSA Auth. Serv. via a Publishing Rule.

A new set of encrypted information needs to be created. To do so, create a publishing rule that uses RSA SecurID and then connect to the published site with an external client.

Good luck.








TCalixto -> RE: Publish OWA w/SecurID - Node Verification Failed (9.May2007 10:40:52 AM)

Jarrice,

In addition to my last, here is the link where the document can be found:

http://www.microsoft.com/downloads/details.aspx?familyid=7B0CA409-55D0-4D33-BB3F-1BA4376D5737&displaylang=en

Specifically the ISA Server 2006 Tools: RSA Test Authentication Utility document. Section 3 goes as follows:

1.       After successfully running the RSA Test Authentication Utility, perform the following steps:
a.        On the ISA Server computer, verify that the Sdconfig folder under the ISA Server installation folder contains only the file Sdconf.rec. Delete any other files that you find in this folder.
b.        On the RSA Authentication Manager computer, on the Agent Host menu, click Edit Agent Host, select the name of your ISA Server computer, and then verify that Sent Node Secret is not selected.



Page: [1]