Walk-through for RSA SecurID Authentication for ISA Server 2006 Part 3: Configure ISA Authentication and Delegation

• Configuring Authentication on the Listener

• On the Authentication tab of the Listener, select “HTML Form Authentication” from the drop down list and select “RSA SecurID” as the Authentication Validation Method.

• Check “Collect additional delegation credentials in the form” if you would like ISA to delegate Active Directory credentials to the published server. NOTE: In order to delegate Basic or NTLM credentials, you must select “Collect additional delegation credentials in the form”


• Configuring Delegation on the Publishing Rule

On the Authentication Delegation tab of the Publishing Rule, choose one of the following options:

1. No delegation, but the client may authenticate directly

User will receive the RSA Authentication form and an HTTP Authentication pop-up prompting for Active Directory credentials.

NOTE: if you choose “No Delegation…”, you must choose “Require all users to authenticate” to receive the RSA authentication form.

NOTE: If you choose “No Delegation…”, you will receive an HTTP Authentication pop-up, even if you checked “Collect additional delegation credentials in the form”

    2. Basic, NTLM or Negotiate (Kerberos/NTLM) Authentication

 User will receive a form prompting for both RSA and Active Directory credentials.

NOTE: In order to delegate credentials using Basic, NTLM or Negotiate (Kerberos/NTLM), you must select “Collect additional delegation credentials in the form”

NOTE: If you select NTLM or Negotiate (Kerberos/NTLM) delegation, the published server must be configured to accept Integrated authentication.

3. RSA SecurID

User will receive only the RSA Authentication form. Once the user is successfully authenticated by the RSA Authentication Manager, the ISA server will delegate these RSA credentials to the published server; therefore the published server should be configured to accept RSA credentials. For example, the published server is IIS with the RSA web agent installed. In the scenario, the IIS (with RSA web agent) is another Agent Host of the RSA Authentication Manager.


Richard Barker

Security Support Engineer