Thursday, 13 August 2009

‘106: The Web server is busy. Try again later.’ Error when Using RSA SecurID Enabled HTML Forms Authentication

I have come across this error quite a few times now and haven’t seen it officially documented (that I know of). Here is a screenshot of the error when using an Outlook Web Access publishing rule.

RSA SecurID Error

The error is pretty generic (read cryptic!) and doesn’t really explain the actual problem. You would assume from the error text that there is a problem with the published web server; from experience, that is not the problem at all!

In fact what this error should say is “Cannot connect to the RSA Authentication Manager server(s) at this time.” or something similar. In my experience, this error is often shown for one of two reasons.

Firstly, if you configure a web listener to use RSA SecurID authentication and you have not correctly installed the sdconf.rec file, then you will receive this error. As discussed in the documents referenced at the end of this blog entry, the sdconf.rec file needs to be placed in the %Program Files%\Microsoft ISA Server\sdconfig folder for correct operation.

Secondly, even with a correctly installed sdconf.rec file, you may still experience this error if the ISA Server is not able to connect to the RSA Authentication Manager servers defined within the sdconf.rec file. This is normally a pure communications or access issue between the ISA Server and the RSA Authentication Manager servers themselves.

Looking at the comment text in the HTML Forms strings.txt file, we can see the following statement:

ACE/Server is not responding error, we do not tell users about it, the administrator knows from the event log.

Consequently, it would appear that this error is purposefully generic for some reason. An obvious next step (well, to my thinking) is to modify the text to be a little more informative. However the error text string is located in the Microsoft ISA Server 2006 internal strings section of strings.txt which should not be edited, as recommended by Microsoft.

A good overview of the process to configure ISA Server with RSA SecurID authentication can be found in the following documents.

RSA Documents:

RSA SecurID Implementation Guide for ISA Server 2006

Microsoft Documents:

Authentication in ISA Server 2006

Walk-through for RSA SecurID Authentication for ISA Server 2006 - Part-1: RSA Authentication Manager Server Configuration

Walk-through for RSA SecurID Authentication for ISA Server 2006 - Part-2: ISA Array Members Preparation

Walk-through for RSA SecurID Authentication for ISA Server 2006 - Part-3: Configure ISA Authentication and Delegation 

So, easy when you know how, but again, not the most useful or informative error message for a user to receive…

I hope this was useful…

2 comments:

  1. Thanks a lot. Very useful information.

    ReplyDelete
  2. Thanks so much, spent 30 minutes trying to figure out what's going on my TMG server before running across this, RSA was horked, as usual.

    ReplyDelete