User Auth Issues w/ HTTP

[Packet7]

We are currently unable to utilize inbound User Auth w/ RSA-SecureID via a HTTP connection. If we switch the group to "Any" and User Auth to "Accept" we are able to access the internal web server via HTTP.

On the RSA server, the passcode is accepted in each instance. The browser normally hangs during User Auth or displays a FW-1 rule denial. We also tried to move up the policy in the list, but it had no affect.

We are running FW-1 SP3. ANyone have any related issues or know of something that could help?

Thank you.

John Judge
MCSE, MCSA, MCP, CCNA, CNA, Network +, A+

 

[syn666]

Does the http server need a password? or is it set to anonymous access?

 

[Packet7]

Thanks for the response syn. The HTTP is a Domino server and requires an identical username. This has been configured and we are using the format username: jjacobs password: &quot;web notes password&quot;@PIN+Token code <--- RSA/SecureID.


John Judge
MCSE, MCSA, MCP, CCNA, CNA, Network +, A+

 

[syn666]

I think you are having the same problem as i had about 9 months ago.... this is what i had..

We had an internal notes server, and we wanted users to be able to access there notes from the web using iNotes.


I had a FW1 4.1 (sp2 or sp3, not sure) and notes 5.0.8, the notes web server requires authentication

I set up User Auth with RSA-SecureID Auth to the Notes server.

This is what would happen when trying to access the web server externally:

1.enter address in browser
2.first login prompt would come up, Authenticate to firewall using RSA secureID
username = rsa username
password = pincode-tokennumber

3.Second login prompt would come up, Authenticate to Lotus Notes Webmail using combination of firewall+notes credentials
username = NotesUserNames@RSA username
password = NotesPassword@pincode-tokennumber
4. browser would hang.. and the page wouldn't come up.

The logs on the RSA ACE server indicate that the RSA token authentication was successful.
When i set-up anonymous access on the notes server, it worked.
I tried the same set-up with an internal IIS server, with anonymous access switch off, it would fail.But with anonymous access switch on it would work.
I also set-up a mall test environment and i was able to generate the problem from a fresh install on FW1 4.1, RSA ACE server and notes.

I think the problem has got to do with the second login.


I upgraded the firewall in our test environment to FW1 NF FP3, and it worked with out any configuration changes.
I was able to access the notes server using both login prompts.


We upgraded our production firewall to FW1 NG FP3, and tested User Auth, worked right away.

This must have been a big with fw4.1


But in the end, we decided not to use User Auth.
We installed a RSA agent on the notes server and reversed proxyed it through the firewall
This seems to work really well, with the only authentication taken please at the notes server.



Hope this Helps

Mark W

 

[Packet7]

Hey Syn,

It sounds like your 9 months ahead of us! Did you enable Anynomous Access in the Notes Server Document (Ports, Internet Ports, Web, Authentication Options)?

I tried both the Anonymous to Yes and Username and Password to Yes and No. Both didn't work.

Any other ideas or suggestions?

Thanks for the assistance.

John Judge
MCSE, MCSA, MCP, CCNA, CNA, Network +, A+

 

[syn666]

Have you tried to do the same thing with an IIS server??
With anonymous access on IIS i get it to work but with anonymous access disabled it failed.
this way you can work out if it s the notes server or the firewall

Im not en expert on notes but this is what i did.
I set anonymous to yes and 'name and password' to yes ,this is on the PORTS / INTERNET PORTS tab.

On the ACL's of the notes databases, 'Default' user should be set to 'no access'. This will force a user to enter there usename and password when trying to access this database from a web browser. all our mail files have t 'default' set to 'no access'
If the ACL of a database has 'default' set to 'reader', this database will be viewable from a browser with out having to log in.

I created a new database, set the 'default' user in the ACL of this database to 'reader'.

The to confirm that i could view this database with anonymous access, tried to view it from a browser on the internal LAN ( Eg.

http://notesserver/test.db

) ,it worked, no login.

From the internal LAN, i tried to access mail file Eg.

http://notesserver/mail/mwilliams.nsf.

Was asked for one login and then was able to view mail my file...

So both anonymous and non-anonyous works internally



I then tried to access the test database from the internet and it worked, i only had to enter the SecurID username and pass, i was then taken straight to the database.

I then tried to view my mail file from the interent, I would get the first login <from the firewall>. And then because 'default' on the ACL of my notes email database was set to no access, i would have to enter a second username / password, this is were the browser hangs.



Leave a reply if you got any more questions.



Mark W

 

[Packet7]

That is what I tried, but I get a denied message &quot;FW-1 Rule&quot;. Haven't tried the IIS test yet, since I am hoping to get this resolved soon. If you know of anything else to try, let me know and thank you for the help.
Rgds,


John Judge
MCSE, MCSA, MCP, CCNA, CNA, Network +, A+