RSA Authentication Agent 8.0 for Web for Internet Information Services Generates HTTP Error 500.21
2 years ago
Originally Published: 2016-03-02
Article Number
000055323
Applies To
RSA Product Set : SecurID
RSA Product/Service Type : RSA Authentication Agent for Web for IIS
RSA Version/Condition: 8.0
Platform : Windows
O/S Version : Microsoft Windows 2012 R2

 
Issue
RSA Authentication Agent 8.0 for Web for Internet Information Services is installed and generates an error when changing the  system variable USEUDP_ENV_VAR value from true to false.

NOTE: Default value upon installation is 'true' for the USEUDP_ENV_VAR system variable.

The error seen in the web browser is 'HTTP Error 500.21 - Internal Server Error | Handler "RSASecurIDHandlerMapping" has a bad module "SecurIDHandler" in its module list'

Example:
User-added image
Cause
Setting the USEUDP_ENV_VAR system variable value to false tells the RSA Authentication Agent 8.0 for Web for Internet Information Services to use the TCP protocol. A file called rsa_api.properties must be configured for the RSA Authentication Agent 8.0 for Web for Internet Information Services to use the TCP protocol to send authentications to an authentication manager 8.1 deployment else it will error when browsing to the protected web site (or protected web site folders).

 
Resolution

Troubleshooting and Conversion from UDP to TCP Usage

The suggestion would be to get the RSA Authentication Agent 8.0 for Web for Internet Information Services working for UDP (default) protocol
 
RSA Authentication Agent icon in the Control Panel can be used to perform test authentications to the authentication manager 8.1 deployment. This in turn will use the configuration record (sdconf.rec) to confirm communication to the authentication manager 8.1 deployment and generate sdstatus.12 and node secret file (securid).
 
To change the protocol used by the RSA Authentication  Agent 8.0 for Web for Internet Information Services to TCP 
  1. Windows Control Panel > System and System > System > Advanced system settings > click Environment Variables... button > in system variable highlight USEUDP_ENV_VAR > click Edit > change Variable value from true to false > click OK > click OK > click OK (returning to 'Control Panel > System and System > System')
  2. Open File Explorer and navigate to C:\Program Files\RSA Security\RSAWebAgent
  3. Create a new folder called Logs
  4. Make a copy of rsa_api.properties so you end up with a file called rsa_api - Copy.properties
  5. Edit rsa_api.properties
uncomment RSA_AGENT_NAME, RSA_AGENT_TYPE, RSA_AGENT_VERSION, RSA_AGENT_PLATFORM, SDCONF_LOC, RSA_CONFIG_DATA_LOC, RSA_LOG_FILE_LOC, RSA_LOG_LEVEL, RSA_LOG_FILE_SIZE & RSA_LOG_FILE_COUNT

ensure these variables are set correctly (useful to have RSA_LOG_LEVEL set to verbose)
 
Example:
#             RSA Authentication API Properties
# Use of rsa_api.properties file is optional. If it’s not used then Agent will work with default configuration

# Name of the agent. The same needs to be configured in AM. Default value is the Hostname of the machine
RSA_AGENT_NAME = <fully_qualified_hostname>

# Provide the Agent Type, default value is 'UnKnown'
RSA_AGENT_TYPE = RSA_WEB_AGENT

# Provide the Agent Version, default value is 'UnKnown'
RSA_AGENT_VERSION = 8.0

# Provide the Agent Platform, default value is 'UnKnown'
RSA_AGENT_PLATFORM = Windows_Server_2012_R2

# Path of the AM configuration file.
# For Windows
SDCONF_LOC = C:\Program Files\RSA Security\RSAWebAgent\sdconf.rec
# For Non-Windows
# SDCONF_LOC = /var/ace/RSA_AuthSDK/sdconf.rec

# Path of configuration file used to configure Load Balancing.
# For Windows
# SDOPTS_LOC = C:\RSA_AuthSDK\sdopts.rec
# For Non-Windows
# SDOPTS_LOC = /var/ace/RSA_AuthSDK/sdopts.rec

# Path of the Node Secret.
# For Windows
# SDNDSCRT_LOC = C:\RSA_AuthSDK\securid  
# For Non-Windows
# SDNDSCRT_LOC = /var/ace/RSA_AuthSDK/securid

# Folder location where "config.xml", "bootstrap.xml" and "root.cer" will be created.
# For Windows
RSA_CONFIG_DATA_LOC = C:\Program Files\RSA Security\RSAWebAgent\<fully_qualified_hostname>
# For Non-Windows
# RSA_CONFIG_DATA_LOC = /var/ace/RSA_AuthSDK

# Specify the list of encryption algorithms to be used for encryption while communicating with AM.
# RSA_ENC_ALGLIST = AES/24,AES/32,AES/16

# Specify the connection timeout for server connection in seconds. Default value will be taken from config.xml
# RSA_CONNECTION_TIMEOUT=60

# Specify the timeout for server connection in seconds. Default value will be taken from config.xml
# RSA_READ_TIMEOUT=60

# Folder name where the log files will be generated.
# For Windows
RSA_LOG_FILE_LOC = C:\Program Files\RSA Security\RSAWebAgent\Logs
# For Non-Windows
# RSA_LOG_FILE_LOC = /var/ace/RSA_AuthSDK/Logs

# Set log level to either of these values “verbose”, "info","warn","error".
RSA_LOG_LEVEL = verbose

# Log file size in KB. Maximum size is 1MB.
RSA_LOG_FILE_SIZE = 1024

# No. of log files to be created before log file rotation. Default value is 10.
RSA_LOG_FILE_COUNT = 10
 
  1. Copy sdconf.rec &  rsa_api.properties from C:\Program Files\RSA Security\RSAWebAgent into the C:\Windows\System32 folder
  2. Reset IIS with the command iisreset in Powershell
  3. Where the RSA Authentication Agent 8.0 for Web for Internet Information Services is protecting the web site does the local administrator get prompted for SecurID authentication when entering http://localhost into the local web browser?
NOTE: should the internal error still appear then the web agent is not happy about the rsa_api.properties file and an administrator is required to check the C:\Program Files\RSA Security\RSAWebAgent\Logs\aceclnt.txt log file for technical issues in the configuration.
Notes
Default installation folders for RSA Authentication Agent 8.0 for Web for Internet Information Services are C:\Program Files\RSA Security\RSAWebAgent and C:\Program Files (x86)\RSA Security\RSAWebAgent
 
Don't see what you're looking for?