LovasBalazs
Contributor
Contributor

RSA integration problem: User TIME's access is denied

We're currently evaluation VDM and RSA. We have three VDM servers: two connection servers and one security server.

One of the CS is configured for plain AD authentication. It works just perfectly.

The other CS is linked with the SS and is configured for RSA. This VDM and the RSA AuthManager are on the same internal lan, the SS is in the DMZ.

We followed the manuals and probably have the RSA configured properly. However we're not able to login thru the SS with the RSA token.

When trying to come in from the internet we're promted for the RSA logon, supply the RSA userid with the passcode, yet we're access denied.

I'm totally clueless here...

The VDM events includes this strange event:

User TIME's access is denied

Any idea on this?

Thank you!

Tags (1)
0 Kudos
33 Replies
YotaMe
Contributor
Contributor

I've set up a 2008 32bit View connection server in the same network segment with the 2008 R2 View connection server, and 2008 32bit works.

It seems something wrong with RSA authentication function on View connection server 64bit.

I need to set up it on 2008 R2 because I want to use PCoIP Gateway Functionality.

When I installed Connection server on 2008 32bit, a caution appeared.

It says "PCoIP Gateway Functionality is not supported for this operating system. Please upgrade to Windows R2 to get the functionality"

0 Kudos
dexenos
Contributor
Contributor

Hi

I have same issue, no chance to get an valid node answer.

If it is a 2008 R2 issue, it can be that connection server look up in System32 and not SYSWOS64.

But all my files were placed in SYSWOS64, sdconf as i uploaded it using View Administrator

If i try to connect i got only a sdstatus.12 created but not the secure file.

Is there any fix? Any ideas for a workaround?

0 Kudos
markbenson
VMware Employee
VMware Employee

RSA SecurID authentication does work with View Connection Server on Server 2008 R2.

Was this server a replacement for an older Server 2003 Connection Server or is this a brand new install with a new Agent Host Record on RSA Authentication Manager?

Can you do the following:

1. Create a new Agent Host entry for this Connection Server on RSA Authentication Manager and clear the "Node Secret Cleared" checkbox.

2. Export the sdconf.rec file from RSA Authentication Manager for this entry.

3. Import sdconf.rec for the Connection Server into View using View Administrator

4. Select "Clear Node Secret" for the Connection Server using View Administrator

Check the View Connection Server logs and check the RSA Authentication Manager logs.

Thanks.

0 Kudos
YotaMe
Contributor
Contributor

>Was this server a replacement for an older Server 2003 Connection Server or is this a brand new install with a new Agent Host Record on RSA >Authentication Manager?

It's a brand new install.

>Can you do the following:

>

>1. Create a new Agent Host entry for this Connection Server on RSA Authentication Manager and clear the "Node Secret Cleared" checkbox.

>2. Export the sdconf.rec file from RSA Authentication Manager for this entry.

>3. Import sdconf.rec for the Connection Server into View using View Administrator

>4. Select "Clear Node Secret" for the Connection Server using View Administrator

Everytime I do it. The procedures are same for both 2008 32bit and 2008 R2. aren't they?

I do same procedure and it works on 2008 32bit.

0 Kudos
abbasi
Enthusiast
Enthusiast

@YotaMe - I can vouch that it does work fine on W2008 R2

Can you temporarily give the Everyone group rights on your System32 directory.  You may have locked down settings as there is a requiremnet to copy that securid file down to your System32 from the RSA AM

Secondly - You don't need that server to be W2008 R2, you only need that server to use that OS if it is acting as your PCOIP tunnel.  Normally this would be the function of the Security Serrver in the DMZ and not the internal Connection server.  

0 Kudos
YotaMe
Contributor
Contributor

Thanks abbasi

>Can you temporarily give the Everyone group rights on your System32 directory.

>You may have locked down settings as there is a requiremnet to copy that securid file down to your System32 from the RSA AM

I'v tried it, but it doesn't work. No log in RSA AM Server.


>Secondly - You don't need that server to be W2008 R2, you only need that server to use that OS if it is acting as your PCOIP tunnel.

>Normally this would be the function of the Security Serrver in the DMZ and not the internal Connection server. 

It's a good information. I'll try.

0 Kudos
alecprior
Enthusiast
Enthusiast

Did you get anywhere with this?  I'm having the exact same problems as you.

0 Kudos
dphowes
Enthusiast
Enthusiast

I am still getting exactly the same error.

Does it matter if the RSA AM server is 6.1 ?  Set server up as a Net OS Agent as there is no standard agent in 6.1.

My logs are as follows:

<TP-Processor8> [AgentLogger] (SESSION:4607788296CA47D0637FE30FFFF55624) User TIME's access is denied.
10:04:48,489 ERROR <TP-Processor8> [SecurIDAuthFilter3] (SESSION:4607788296CA47D0637FE30FFFF55624) Cannot create RSA SecurID user authentication session. Error was: No Server available
10:04:48,490 WARN  <TP-Processor8> [SecurIDAuthFilter3] (SESSION:4607788296CA47D0637FE30FFFF55624) User xxxxx has failed to authenticate to VDM - reason: SecurID general error

0 Kudos
davmware
Enthusiast
Enthusiast

Ours is a similar case as well. Windows 2008 R2 OS for Connection Manager Server.

Errors are ...

TIME's access is denied

Cannot create RSA SecureID user authentication session. Error was: No Server available

User "myuser" has failed to authenticate to VDM - reason SecureID general error

Any workarounds?

0 Kudos
davmware
Enthusiast
Enthusiast

Found solution to our problem. Our internal firewall was blocking port 5500. udp port 5500 is required to be opened between connection manager server and rsa auth manager.

0 Kudos
YotaMe
Contributor
Contributor

>Secondly - You don't need that server to be W2008 R2, you only need that server to use that OS if it is acting as your PCOIP tunnel.

>Normally this would be the function of the Security Serrver in the DMZ and not the internal Connection server. 

I've set up a Security Server on W2008 R2. And it works with RDP but doesn't  work with PCOIP.

I'm afraid I should set up both Connection Server and Security Serrver on W2008 R2 for PCOIP tunnel.

Any improvement in View 5?

0 Kudos
markbenson
VMware Employee
VMware Employee

YotaMe wrote:

I've set up a Security Server on W2008 R2. And it works with RDP but doesn't  work with PCOIP.

I'm afraid I should set up both Connection Server and Security Serrver on W2008 R2 for PCOIP tunnel.

Any improvement in View 5?

This topic is about RSA SecurID authentication and this works with all versions of View (and even VDM versions right back to 2.0 in 2008). It is true that if firewalls block communication between Connection Server and RSA Authentication Manager server the SecurID auth will not work, but that is expected.

If you have RDP working with SecurID authentication, then that means SecurID authentication is working fine. That authentication happens before the desktop pool is selected and it is not until that happens that RDP vs PCoIP considerations take effect.

If you have a situation where local access to PCoIP desktops work, but access to those same desktops via PCoIP remotely through a Security Server fails (usually with a black screen). then 99% chance it will be because one of the three setup steps has not been done correctly. Refer to http://communities.vmware.com/docs/DOC-14974 on PCoIP remote access connectivity setup problems and if you have a situation where this is failing for you through Security Server then following this topic will solve it. If you still have problems with this then start a new topic or look at how others have solved it. To make this work, The Connection Server and Security Server must be at least View 4.6. The Connection Server can be any supported OS, but the Security Server must be Server 2008 R2.

Please keep this topic for any help required for the setup of RSA SecurID authentication. Thanks.

Mark.

0 Kudos
YotaMe
Contributor
Contributor

Hi Mark.

Thanks for your proper advice.

It seems that you are right.

It happens with a black screen and I haven't done 2 of 3 set up you mentioned.

I'll try them.

0 Kudos
rellis123
Enthusiast
Enthusiast

TIP :smileyinfo:

If you receive this error while trying to configure Horizon View with an RSA appliance

The error described by this post is the error you will see if you upload to your View Connection Server the node shared secret file nodesecret.rec rather than the correct sdconf.rec file.

On the RSA appliance, both files are generated in a similar way (via the IMS console) -- but they serve very different purposes.

Make sure you have generated and uploaded the right file. It's easy to overlook -- especially if you're tired. sdconf.rec is the one you want.

Horizon 6.2.x will not tell you if you've uploaded the wrong one -  it will happily upload either, and indicate that it's the right file, even if it's not.

0 Kudos