MsExchange Blog Spot Telnet25

September 3, 2009

RSA SecurID Ready Implementation Guide Exchange 2007 ISA Server 2006

Filed under: General — telnet25 @ 1:58 am

I spend guide a bit to get this working (-: and figured out the official published guide needs serious updates which I addressed all previous articles and putting summary together……

Anyway, if you are planning to implement RSA on your environment reading previous articles will save you tons of headache, trust me (-:, I learned the hard way and as always don’t want anyone to go trough the same path hence sharing with you guys the missing parts on this document, OWA is already standard for most of the government places and two factor authentication is way to go for most of the remote access scenarios, fisrt download the official RSA implementation guide fro here


Now you will need click here to get it


Now you are ready to move on , pay attention to below steps

  • After downloading SDTEST.exe make sure you get this make it work !!!!! before start messing with ISA server or Exchange server, if the SDTES wont succeed you will waste your time!!!
  • Ask RSA Guy to fallow the steps on the RSA guide and make sure you have sdconfig.rec file


Once you get this file copy  the file on the ISA servers below directories

  • Windows\System32 folder
  • C:\Program Files\Microsoft ISA Server\sdconfig directories

On the ISA server , if you have two legs as below


make sure you add static route so that the test utility is able to talk to RSA servers.

issue route print

  •  gateway for internal network
  • ISA server IP
route add mask –p


  • Add the following String Value registry entry on each ISA Array Member restart “wspsrv.exe”


  • PrimaryInterfaceIP
  • HKEY_LOCAL_MACHINE\Software\SDTI\AceClient
  • Where the string value of PrimaryInterfaceIP is the IP address assigned to the interface that communicates with the RSA Server




  • After restarting firewall service test once more , bingo it works



  • before we move on  copy the local secret SecureID file from system32 into SDConfig folder.
  • SECURID from <windir>\system32 to …\Microsoft ISA Server\sdconfig
  • On each ISA Server, run the SDTEST.EXE utility.  This utility allows you test user authentication from an Agent Host to the RSA Authentication Manager Server.  Upon a successful user authentication, the Node Secret file (SECURID) will be created in the <windir>\system32 folde


  • Read this to understand why you just did above (-:
  • The SDTEST Authentication Utility is used to verify that a computer running ISA Server can authenticate to a computer running RSA Authentication Manager.  Note the following:   SDTEST.EXE requires the SDCONF.REC to be located in the …\system32 folder to run and test authentication successfully.  However, for ISA server to successfully authenticate to the RSA server, SDCONF.REC must be located in the ..\Microsoft ISA Server\sdconfig folder.  Also note that SDTEST.EXE does not require a Node Secret to authenticate, but the ISA Server does require a Node Secret to authenticate.

Now move on the ISA Server

  • Backup ISA Configuration
  • Configure CAS Listener
  • Configure client authentication on the listener

here is the link click on the picture


Configure Exchange default website, click on the picture for details



Now time to test it


I hope this saves time and headache to some of you out there



oz Casey Dedeal,

MVP (Exchange)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http:// (Blog)

Http:// (Blog)

Http:// (Blog


Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at

%d bloggers like this: