Installing RSA Authentication Manager 7.1
It has been a while since I have added something to my blog, so I thought I might add something a little different but will hopefully help out some people out there. I recently had to install and configure RSA Authentication Manager 7.1 for a client, this was something I had never done before but to be honest it was pretty straight forward once you managed to get your head around the long documentation they provide!
One thing that made things a little bit more difficult for me to complete was making it work on a Remote Desktop Services Server, This is really the main reason for my publishing this because the core installation and configuration is pretty straight forward. I will add some bits about that also just to give some people some guidance if needed.
The environment in which these instructions worked was “Microsoft Small Business Server 2008” with a Virtual RSA Server running “Microsoft Windows Server 2003 R2” and a Terminal Server running “Windows Server 2008 R2”.
First of all you will need to download the RSA Authentication Manager (Version) from the RSA Download Central Site; these details would have been given to you upon purchasing the software. This area is also where you get your licence from which is needed later on in the installation.
Note: RSA Authentication Manager CANNOT be installed on a Windows Server 2008 / R2 Server, But DOES work in that environment. The Authentication Manager needs to be installed on a Windows Server 2003 Installation. (Release for Server 2008 Due 2nd Half of 2011)
The Steps briefly are as follows for a new installation:
- Locate and launch the installer for your platform, On the Welcome screen, click Next
- Respond to the prompts for Select Region and License Agreement
- Select Primary Instance, and click Next
- Verify the installation directory path and name, or click Browse to install Authentication Manager to a different directory. Click Next
- When the installer displays the hostname and IP address that will be used for installation, verify the information.
- Click Browse to locate the folder that contains your Authentication Manager license file, server key, and certificate files. The license allows you access to certain functionality and limits the number of users that can be registered. The server key and certificate are used to verify (authenticate) the identity of the server. Select the folder, click Open, and click Next
- Verify the license information, and click Next
- When prompted, enter and confirm a User ID and password
- Enable or disable Sign Administration Logs, Sign System Logs, and Sign Runtime Logs
- Review the summary screen, verifying the features that you have selected and the disk space required.
- Then Click on Install, Start the Security Console to confirm installation and then restart server (optional)
Setting up LDAP AD Identity Source
Open the “Operations Console” > Manage Identity Sources > Add New Identity Source
Complete the fields as below:
Click on Test Connection (Should come back as successful)
User Base DN: ou=SBSUsers,ou=Users,ou=MyBusiness,dc=company,dc=local
User Group Base DN: ou=SBSUsers,ou=Users,ou=MyBusiness,dc=company,dc=local
Click on “Save and Finish”
Open Security Console > Identity > Users > Manage Existing
Select “System Domain” and “Your Identity Source” and then click on search
This will confirm that the LDAP Link has worked, and that the users are known by the RSA Authentication Manager
Next, Select “Administration” > “Realms” > Manage Existing > Select Security Domain > Edit
Under “Link Identity Sources” Move the Available Identity source over to the linked field
Click on Save
Note: Before moving on to the next stage, make sure you have your token file and password from when you registered your token bath. If you need to re-download it visit this site:
Next go to “Authentication” > “Secure ID Tokens” > “Import Tokens Job” > “Add New”
Edit the Name of the Job if you wish, and then browse to your token file which will be named something along the lines of - 012345-20-1_TOKEN.xml
Type in the password that was generated upon download and then click on “Submit Job”
Once you have imported your token batch, you will then be able to right click on any of your users with the security console and assign tokens.
With the new version of RSA Authentication Manager, You can provide your users the URL to the Self Service Portal so that they can login and create there pin code to form the complete passcode.
Passcode consists of your 4-8 Digit Pin Code followed by the Digits showed on the RSA Token.
Once the tokens have been imported and assigned and the user has setup there pin number the only remaining step is to install an Agent on a Server.
Download the Agent from this location:
Once you have downloaded and place it in the directory on the server and logon to that server to start install.
Before starting the install make sure you have the sdconf.rec file on the server you are to install the agent on also.
To get this file, logon to RSA Server, Open Security Console > Access > Authentication Agents > Generate Server Certificate > Click Download Now
*the sdconf.rec file is required for the installation to complete
Extract Agent Installation Files, and Run Setup.exe going through the wizard.
The wizard itself is pretty self-explanatory but if you have any problems just contact me, or the RSA Support Team. Once installation is completed restart the Server you can generally login with COMPUTERNAMEAdministrator in the first instance.
All the standard settings on the agent installation pretty much are how they should be, unless you’re going to have a Remote Desktop Services Server (Terminal Server) where you will need to make sure following change.
Open “RSA Security Centre” > Click on the “Configuration” tab > Click on “Local” > Select “Challenge” and De-Select “Send Domain and User Name to RSA Authentication Manager”
The reason you have to make that change is because RSA Authentication Manager is only set to use your USERNAME not the DOMAINNAMEUSERNAME so the authentication at logon will fail. In Server 2008 even if you just type in the username it sends the domain name automatically so this setting will stop that.
To test the authentication, go to “Authentication Test” and type in your RSA Username and the Passcode for that user and if it comes back successful then everything should work fine.
If you are not going to user a Terminal Server then there is probably no need to make that change, but just keep it in mind for Windows 7 Computers as the same may apply to that.
I hope this helps some people out there, I’ll be honest I am no RSA Expert and there is probably other ways to set this up especially doing things like LDAPS appose to just LDAP so that RSA can Write back to AD but in this instance it was not required for me.
If you have any further problems I would recommend contacting RSA Support, they are very helpful and know what they are talking about.
Tel: 01344 781100