Problem Definition
Since the release of RSA 7.0.1 Agent for Windows 2008, our customers have been experiencing authentication problems when using Citrix Web Interface 5.x.
This case study explains the reason why RSA 7.0.1 Agent for Windows 2008 is not yet supported on Web Interface 5.x and what is the current solution for it.
Environment
- Windows Server 2008 (64-bit)
- Web Interface 5.1.2
- RSA Agent 7.0.1 for Windows Server 2008 (64-bit)
Troubleshooting Methodology
Web Interface 5.1.2 cannot authenticate users when using the RSA 7.0.1 Agent on Windows 2008 because RSA with the new RSA Agent 7.0.1 for Windows Server 2008 changed the location of the main DLL files that Web Interface uses to authenticate users against RSA.
Examine the screen shot below.
Web Interface when tries to authenticate users using this version of the RSA Agent, it makes a call to the secureid.aspx file (located under \inetpub\wwwroot\Citrix\<SiteName>\auth), then, Web Interface tries to contact aceclnt.dll file. This file is the main DLL for RSA to authenticate users.
As you can see from the above screen shot, Web Interface cannot find this aceclnt.dll file anywhere under the Windows, Program Files, and so on. directories. As a result, users get the following error on their browsers when authenticating at the Web Interface login page:
“An authentication error has occurred. Please contact your system administrator. Log ID: #”
Back on Web Interface, checking Event Viewer > Application log, this is the error reported by Web Interface:
“Site path: c:\inetpub\wwwroot\Citrix\RSA.
There was a problem with the RSA SecurID Agent. Check that it is installed correctly. [Log ID:#]”
The new location for the RSA DLL files on RSA Agent 7.0.1 can be found under:
C:\Program Files\Common Files\RSA Shared
On previous versions of the RSA Agent (like 6.1), this file is located by default, usually under \Windows\System32.
The screen shot below shows a successful logon using RSA 6.1 Agent:
By design, Web Interface checks the old file structure of the RSA Agent to locate the aceclnt.dll and because it cannot find it, it denies access to users.
Resolution
There is a workaround for current Web Interface 5.4 and earlier 5.x versions. Check CTX125097 - Native RSA SecurID 7.x Authentication Does Not Work with Web Interface 5.x and/or CTX126843 - How to Configure Web Interface 5.3/5.4 on Windows 2008 (32-bit and 64-bit) with RSA Authentication Agent 7.x and RSA Authentication Manager 6.x and 7.x