Anda di halaman 1dari 17

RSA SecurID and Microsoft® Mobile

Information Server 2002 Integration


Technical Paper

Published: March 2002


Table of Contents

Introduction............................................................................................................. ..3
Two-Factor Authentication............................................................................ ............4
How RSA SecurID Works................................................................................... .......4
RSA ACE/Server.............................................................................................. .....4
RSA ACE/Agent.............................................................................................. ......5
RSA SecurID Authenticators........................................................ ..........................5
MIS and RSA SecurID....................................................................................... .......5

Deploying RSA SecurID with MIS.................................................................. ................7


Uninstall MIS.................................................................................................... ......7
Prepare the Network Environment..................................................................... ........9
Install MIS Using RSA SecurID Setup............................................................. ..........10
Install the RSA ACE/Agent on the MIS Server.............................. .............................13
Activate the RSA ACE/Agent on the MIS Server.............................................. ...........14
Configure the RSA ACE/Agent to Protect MIS Virtual Directories..................................14
Tell Your Users How to Use the RSA SecurID Authenticator.........................................15

Conclusion................................................................................................. ..............15

Additional Resources ............................................................................ ....................15


RSA SecurID and Microsoft Mobile
Information Server 2002 Integration
Technical Paper
Published: March 2002

For the latest information, please see http://www.microsoft.com/miserver.

Introduction
Microsoft® Mobile Information Server 2002 (MIS) provides secure access to
internal resources and services for wireless device users. Using MIS, your
company’s users can access resources, such as their Microsoft Exchange 2000
mailboxes, anywhere, anytime on a range of devices. The flexibility that MIS
provides, however, comes with the need for enhanced security for your corporate
intranet.

If you already deployed MIS or you plan to deploy MIS and you use
RSA ACE/Server to manage authentication policies for your network, you can use
the RSA SecurID solution to authenticate users who will use MIS to browse their
Exchange data with Outlook® Mobile Access.

This paper explains the RSA SecurID solution and describes how to use the
RSA SecurID solution to authenticate users to MIS servers on the intranet. This
paper covers the following topics:
• Two-factor authentication
• How RSA SecurID works
• RSA SecurID and MIS
• Issues with the wireless authentication process
• Deploying RSA SecurID with MIS
For MIS documentation, see http://www.microsoft.com/miserver/support/.
For RSA SecurID documentation, see http://www.rsasecurity.com/.
To benefit from using RSA ACE/Server and RSA SecurID with MIS, you must
have a thorough understanding of how RSA SecurID and MIS work together.
This paper assumes that you are familiar with standard MIS concepts and
deployment topologies and that you have a basic understanding of
RSA ACE/Server and RSA SecurID. If you are unfamiliar with MIS,
RSA ACE/Server, or RSA SecurID, review the product documentation for both
products before implementing the scenario described in this paper.
Two-Factor Authentication

The most advanced and secure authentication mechanism is called “two-factor


authentication.” Two-factor authentication requires the user to have two different
forms of proof of identity. Microsoft Windows® 2000 Server and Windows 2000
Advanced Server include the ability to use smart cards for two-factor
authentication. With a smart card and a smart card reader, the user can prove their
identity with two factors: the physical smart card itself and a personal identification
number (PIN) associated with the smart card, which the user memorizes. The use
of smart cards and certificate authentication is deployed as part of a public key
infrastructure (PKI).

RSA Security also offers the RSA SecurID authenticators for providing two-factor
authentication. RSA SecurID authenticators are hardware devices that a user uses
to receive an automatically generated access code—a set of constantly changing
numbers. Users enter the access code in combination with their assigned PIN to
gain access to internal networks. A user’s PIN combined with an RSA access code is
referred to as a passcode. Using passcodes to authenticate to a network or
resource is an acceptable substitute for smart card and PKI two-factor
authentication. This RSA SecurID solution is especially useful because the currently
available wireless devices, such as cell phones and personal digital assistants
(PDAs), do not offer PKI solutions for two-factor authentication. RSA provides
several different types of RSA SecurID authenticators. For more information about
the various RSA SecurID authenticators, visit the RSA Web site at
http://www.rsasecurity.com/products/securid/index.html.

How RSA SecurID Works

The RSA SecurID solution helps you manage authentication policies for your
internal network and enhance the security of your internal network authentication
process. To take advantage of the enhanced security offered by the RSA two-factor
authentication process, you must deploy an RSA ACE/Server computer and an
RSA ACE/Agent and then distribute the RSA SecurID authenticators to your users.
The RSA solution requires the following products:

•RSA ACE/Server

•RSA ACE/Agent

•RSA SecurID authenticators

For more information about the products offered by RSA, see the RSA Web site at
http://www.rsasecurity.com/.

RSA ACE/Server
The RSA ACE/Server computer is an authentication server that manages the
authentication process for your users. For more information about RSA ACE/Server,
see the RSA Web site at
http://www.rsasecurity.com/products/securid/datasheets/dsace50.html.

If you already deployed an RSA ACE/Server computer in your organization, you can
easily add the remaining components of the RSA SecurID solution.

RSA SecurID and Microsoft Mobile Information Server 2002 Integration 4


RSA ACE/Agent
The RSA ACE/Agent protects your internal resources. Install an RSA ACE/Agent on
each resource that you want to protect with RSA ACE/Server authentication.
RSA ACE/Server works with the RSA ACE/Agent to protect resources by verifying
user account information. In this way, the RSA ACE/Agent becomes the gatekeeper
for the information that you designate it to protect. When you deploy the
RSA ACE/Agent on your MIS server, select the RSA ACE/Agent Web Access
Authentication option to protect the OMA and OMA55 Internet Information
Services (IIS) virtual directories that MIS uses to allow users to browse Exchange
data. The RSA ACE/Agent can protect only the In virtual directory and the OMA
and OMA55 virtual directories for browsing Exchange data. The RSA ACE/Agent
cannot protect the other MIS virtual directories that provide additional features,
such as synchronizing Exchange data.

When you use the RSA ACE/Agent to protect the In virtual directory, MIS performs
no authorization using the user alias. Access to the Web content is performed as
the configured access user, not as the individual user who authenticated using
RSA SecurID. However, the RSA SecurID solution ensures that only authenticated
users may get access to the Web content.

Important You must select only the In, OMA, and OMA55 virtual
directories as the directories that you will protect with the
RSA ACE/Agent. If you select other MIS virtual directories, certain MIS
features, such as Server ActiveSync® and Outlook Mobile Access
notifications, will stop functioning.

RSA SecurID Authenticators


RSA SecurID authenticators are the hardware component of the RSA SecurID
solution. Users use authenticators to receive an RSA SecurID PIN. When users
attempt to authenticate to an internal resource, they append the RSA SecurID PIN
to their RSA SecurID password creating a passcode that, if recognized, gives the
user access to the network or resource.

RSA SecurID authenticators are available in several different options including:

•Hardware tokens

•Software tokens

•Key fobs

•Smart cards

These hardware and software authenticators work with the RSA security products
to authenticate your users to your internal network or resource. For more
information about RSA SecurID authenticators, see the RSA Web site at
http://www.rsasecurity.com/products/securid/tokens.html.

MIS and RSA SecurID

MIS allows your users to access their Exchange information on Wireless Application
Protocol (WAP) devices. When your users authenticate on a WAP device, MIS
authenticates the user by verifying account information on the domain controllers.

RSA SecurID and Microsoft Mobile Information Server 2002 Integration 5


When you use the RSA SecurID solution, the RSA ACE/Server computer and
RSA ACE/Agent work together to authenticate your users.

If you already deployed an RSA ACE/Server computer, or plan to deploy an


RSA ACE/Server computer in your organization, you can use the RSA SecurID
solution to manage the way that users authenticate to gain access to Exchange
data using MIS.

When you deploy MIS, an important deployment step is to decide which security
topology to use for your wireless accounts. MIS allows several different security
topologies for WAP browsing. These security topologies allow you to create
auxiliary accounts for your users to browse Exchange data. When you deploy MIS
with RSA SecurID, you use a different installation procedure that does not require
you to specify a security topology. Instead, you use a special user account model
that uses the Access User account in conjunction with the account information on
the RSA ACE/Server computer you deployed in your organization.

With this Access User account model, a special user account called the Message
Processor handles browse requests. The Message Processor account has special
permissions to resources, such as Exchange mailboxes. For more information about
the Access User account and the various security topologies in MIS, see MIS Help.

When your users attempt to authenticate to an MIS server, the RSA ACE/Agent
checks to see if the authentication request contains a cookie with their
authenticated user account name. If the cookie is not present, the RSA ACE/Agent
prompts the user for his or her account name and passcode. After the user enters
the account name and passcode, the RSA ACE/Agent verifies this information with
the RSA ACE/Server computer. If the RSA ACE/Server computer authenticates the
user, the RSA ACE/Agent provides a cookie for the user to use.

Important For RSA SecurID to work properly, the WAP gateway, the
carrier, and the devices that the users are using must support cookies.

Figure 1 shows the RSA SecurID two-factor authentication process.

Figure 1 The RSA SecurID authentication process

When a user requests data, the process works as follows:

RSA SecurID and Microsoft Mobile Information Server 2002 Integration 6


1. User makes a request When a user with a wireless device and an
RSA SecurID authenticator attempts to browse his or her Exchange data, the
request is sent to a WAP gateway and is then routed to the MIS server.

2. RSA ACE/Agent checks for cookie The RSA ACE/Agent receives a request
for a Web server; the RSA ACE/Agent checks for a cookie containing the user
name and passcode. If the cookie is not present, the user is prompted for a
user name and RSA SecurID passcode.

3. RSA ACE/Server computer verifies credentials After the RSA ACE/Agent


verifies that the user name and passcode are present in the cookie, the
information is sent to the RSA ACE/Server computer to verify the supplied
credentials. If the credentials supplied by the user are correct, the
RSA ACE/Server computer authenticates the user and the RSA ACE/Agent
sends a cookie to the device to use for the remaining session.

4. MIS server processes request The MIS server takes the user name from
the cookie for the request and accesses the appropriate Exchange 2000
mailbox.

The RSA ACE/Server database, which contains the details of the user accounts
from Active Directory® directory service, provides the authentication. After the
RSA ACE/Server computer authenticates the user, the MIS server allows the user
to browse the Exchange data to which he or she requested access.

Deploying RSA SecurID with MIS


If you already deployed MIS, and you want to deploy RSA SecurID, you must
uninstall MIS and then reinstall MIS using the RSA SecurID Setup option. If you
have not deployed MIS, proceed to the “Install MIS Using RSA SecurID Setup”
section later in this document. Deploying RSA SecurID with MIS involves the
following steps:
1. Uninstall your existing MIS deployment.
2. Prepare your network environment
3. Install MIS using RSA SecurID Setup.
4. Install the RSA ACE/Agent on the MIS server.
5. Activate the RSA ACE/Agent on the MIS server.
6. Tell your users how to use the RSA SecurID authenticators.

Uninstall MIS

If you already deployed MIS in your organization, and you want to use
RSA SecurID, you must uninstall all of the MIS servers and any MIS components,
and then reinstall MIS using the RSA SecurID Setup option. You will no longer need
computers dedicated as domain controllers to hold special account information
because the RSA ACE/Server computer will contain and manage all the user
account information.

Uninstalling MIS involves the following steps:

RSA SecurID and Microsoft Mobile Information Server 2002 Integration 7


1. Uninstall Mobile Information Server 2002.
2. If you have computers running Exchange 2000 in your MIS deployment,
uninstall Exchange 2000 Event Source.
When you remove MIS from your network, make sure that the server is not in
use. If the MIS server is in use, users will receive errors when they attempt to
browse data with their device and receive non-delivery reports (NDRs) for failed
notifications. Therefore, before you uninstall MIS from a server, verify the
following:
• No SMTP connector exists between an Exchange 2000 routing group and the
MIS server.
• The MIS host record (IP address) is not part of a round-robin Domain Name
System (DNS) configuration.
• Users are not using MIS as part of a browse URL.
Before you remove MIS, verify that you have the proper permissions to uninstall
MIS from the server. To uninstall MIS, you must be a member of the Microsoft
Mobility Admins group as well as a member of the local Administrators group on
the computer from which you are uninstalling MIS.

Important You must close System Manager before you remove MIS
from a server. Uninstall will fail if System Manager is open when you try to
remove MIS.

To remove MIS from a server


1. On the server running MIS, click Start, click Settings, and then click Control
Panel.
2. Double-click Add/Remove Programs.
3. In Change or Remove Programs, select Mobile Information Server.
4. Click Remove.
5. Click Yes to confirm that you want to remove MIS.
6. On the warning about wireless enabled users, click Yes.
After you uninstall MIS, if you are using Exchange Event Source so that your users
can receive notifications, you must uninstall Exchange Event Source on the
Exchange 2000 servers in your network.

To remove Exchange 2000 Event Source


1. Log on to the Exchange server with an account that is a member of the
Microsoft Mobility Admins and the local Administrators group.
2. Click Start, click Settings, and then click Control Panel.
3. In Control Panel, double-click Add/Remove Programs.
4. On Change or Remove Programs, select Mobile Information Server.
5. Click Remove.
6. Click Yes to confirm that you want to remove MIS.

RSA SecurID and Microsoft Mobile Information Server 2002 Integration 8


7. On the warning about wireless enabled users, click Yes.
In addition to removing Exchange 2000 Event Source, you must also remove any
MIS-specific connectors that were configured on the Exchange 2000 server. For
example, remove any SMTP connectors that were configured to point to an MIS
server. For information about removing Exchange connectors, see Exchange 2000
Help.

When you reinstall MIS, Active Directory instance data, such as which security
topology you chose, will be replaced with the new information that is required for
the RSA SecurID Setup option.

Prepare the Network Environment

If you already installed MIS in your network, proceed to the “Install MIS Using RSA
SecurID Setup” section later in this document.

Before you install MIS for the first time in your network, you must prepare your
network environment. To prepare your network environment, you must run MIS
ForestPrep and MIS DomainPrep. Running MIS ForestPrep updates Active Directory
with the schema changes and instance data that MIS requires. These changes are
permanent and cannot be undone. For more information about running ForestPrep,
see Mobile Information Server Help.

You also need to run MIS DomainPrep in every domain that will contain an MIS
server. Running MIS DomainPrep creates instance data for the domain, such as
system accounts and MIS security groups used at the domain level by MIS.

Note: DomainPrep will not recognize other security groups that might
have permission to modify the domain, such as Enterprise Administrators.
You must run DomainPrep as a user who is a member of the Domain
Admins security group.

Running both MIS ForestPrep and DomainPrep creates permanent changes to


Active Directory that cannot be undone. Before you prepare your network
environment, you should familiarize yourself with MIS ForestPrep and MIS
DomainPrep. For complete descriptions of how to prepare your network
environment, see Mobile Information Server Help.
To run ForestPrep
1. Insert the Mobile Information Server 2002 CD into the computer’s CD-ROM
drive.
2. Open a command prompt: click Start, click Run, type CMD, and then press
ENTER.
3. At the command prompt, type e:\Setup /vFORESTPREP=1, where e: is the
CD-ROM drive, and then press ENTER.
4. A dialog box appears that asks you to verify the schema update. Click OK to
update the schema.
5. On the Microsoft Mobility Admins group page, in the Domain Name box,
type the name of the domain in which the Microsoft Mobility Admins group is

RSA SecurID and Microsoft Mobile Information Server 2002 Integration 9


created. If you are using Exchange 2000 with MIS, specify the domain in which
the servers running Exchange 2000 are deployed. Click Next.
Your Active Directory Schema is extended with the changes required by MIS. In
addition, ForestPrep creates the Microsoft Mobility Admins group in the Users
container of the specified domain and gives permissions to the Configuration
container in Active Directory.

After you run ForestPrep, you can run DomainPrep in every domain that will
contain an MIS server.
To run DomainPrep
1. Insert the Mobile Information Server 2002 CD into the computer’s CD-ROM
drive.
2. Open a command prompt: click Start, click Run, type CMD, and then press
ENTER.
3. At the command prompt, type e:\Setup /vDOMAINPREP=1, where e: is the
CD-ROM drive, and then press ENTER.
4. A dialog box appears that asks you to verify the domain update. Click OK to
update the domain.
5. On the ENTEVENTSOURCE Account page, in the Password box, type a
password that the ENTEVENTSOURCE account will use. Re-type the password in
the Confirm New Password box, and then click Next.
6. On the Message Processor page, in the Password box, type a password that
the Message Processor account will use. Re-type the password in the Confirm
New Password box, and then click Next.
7. On the HTTP Connectors page, in the Password box, type a password that
the HTTPConnector account will use. Re-type the password in the Confirm
New Password box, and then click Next.
8. When the Installation Wizard Completed page appears, click Finish.
9. In addition to running DomainPrep, you must add the Microsoft Mobility Admins
group to the Account Operators group in each domain that will have an MIS
server. After you run DomainPrep, add Microsoft Mobility Admins to the Account
Operators group in the domain.
After you prepare your Active Directory Forest and Domain, configure the
network as necessary for your deployment scenario. For more information
about how to configure your network environment, including topology
considerations; enabling support for Exchange 5.5; and securing your internal
network for browse, notification, and synchronization traffic, see Mobile
Information Server Help.

Install MIS Using RSA SecurID Setup

After you prepare your network environment, you can install MIS using the RSA
SecurID Setup option. Before you proceed with deploying MIS, make sure you have
a thorough understanding of the deployment options available with MIS Setup,

RSA SecurID and Microsoft Mobile Information Server 2002 Integration 10


including which MIS features you will install. For more information about MIS Setup
options, see MIS Help.

Because you will deploy MIS using the special RSA SecurID Setup, MIS Setup
assumes that you already deployed an RSA ACE/Server computer in your internal
network to manage your authentication policies.

Notes

• To use RSA SecurID with MIS, you must have an ACE/Server computer
already installed in your internal network.

• When you deploy MIS using the special RSA SecurID Setup, the only
option you will not have is which type of wireless accounts you will
use.

To install MIS using RSA SecurID Setup

1. Insert the Mobile Information Server 2002 CD into the CD-ROM drive.

2. Open a command prompt: click Start, click Run, type CMD, and then press
ENTER.

3. At the command prompt, type e:\Setup /vSecurID=1, where e: is the CD-


ROM drive, and then press ENTER.

4. On the Mobile Information Server 2002 Welcome page, click Next.

5. On the Licensing Agreement page, read the End User License Agreement. If
you agree, select I accept the terms in the license agreement, and then
click Next.

6. On the per-seat Licensing Agreement page, if you accept the terms of the
license agreement, select I have read and accept the terms in the license
agreement, and then click Next.

7. On the Product Identification page, type the 25-digit CD key. You can find
the CD key on the back of the product CD case. Click Next.

8. On the Component Selection page, select the MIS components you want to
install. If you have previously deployed MIS, install the same components that
you used in your previous deployment.

RSA SecurID and Microsoft Mobile Information Server 2002 Integration 11


Figure 2 Component Selection page
9. To install Mobile Information Server administrative tools on the MIS server
(recommended), ensure that Administrative Tools is selected. To see the
three tools, expand the Administrative Tools component. The tools are:
• System Manager You use the MIS System Manager snap-in to
administer and monitor your MIS servers and users.
• User Personalization Users access the Personalization Web page to
customize their notification and browse settings. This page must be
installed on the user’s Exchange server. You can install this tool on other
servers, but it will redirect users to the Personalization page installed on
their Exchange server. IIS must be installed on the computer on which
this tool is installed.
• User Configuration Installing the User Configuration tool adds the
Wireless Mobility tab to the user property page in Active Directory
Users and Computers and installs the Enterprise Device Setup tool.
You use the Wireless Mobility tab to grant wireless access to users so
they can use their devices to receive notifications and to browse their
data. You also use the Wireless Mobility tab to activate server
synchronization for Pocket PC users. Enterprise Device Setup allows you
to perform the tasks associated with configuring your users or a group of
users at one time.
a. If you want to change the installation path for MIS, click Change, type the
path in the Folder name field, and then click OK.
b. Click Next.

RSA SecurID and Microsoft Mobile Information Server 2002 Integration 12


10. If you see the Message Processor page, in Password, type the password
that was specified for the Message Processor account during DomainPrep. The
Message Processor account is a system account used by MIS. Click Next.

11. If you see the HTTP Connectors page, in Password, type the password that
was specified for the HTTPConnector account during DomainPrep. The
HTTPConnector account is a system account used by MIS. Click Next.

12. On the Ready to Install the Program page, click Install.

MIS begins the installation process with the options you selected.

Install the RSA ACE/Agent on the MIS Server

After you install the MIS server using RSA SecurID Setup, you must install the
RSA ACE/Agent on the MIS server for the RSA SecurID authenticators to work. The
RSA ACE/Agent v5.0 for Windows software uses the RSA ACE/Agent’s Web access
authentication to set RSA SecurID protection on the MIS resources (the In, OMA
and/or OMA55 virtual directories) that you make available to your users.

To access a free download or order a CD of the RSA ACE/Agent software, see the
RSA Security Inc. Web site at http://www.rsasecurity.com/go/win2000.html

To install the RSA ACE/Agent on the MIS server


1. Log on with an account that has Administrator permissions on the local
computer.
2. Open a command prompt, browse to the location of the Agent.exe file, and type
file location\Agent.exe, where file location is the location of the Agent.exe
file, and then press ENTER.
3. In the Warning dialog box that says, “RSA ACE/Server and SecurID tokens are
required to use the RSA ACE/Agent,” if you have an RSA ACE/Server computer
and RSA SecurID tokens, click OK.
4. On the Welcome page, click Next.
5. On the Customer Location page, click the area where you are located.
6. On the License Agreement page, if you agree with the terms of the license
agreement, click Yes.
7. On the Select Components page, select Web Access Authentication
(Server), and then click Next.
Note The Administrators Guide and documentation, Control Panel applet,
and common shared files are automatically installed when you select this
option.
8. On the Location of the Root Certificate “sdroot.crt” page, if you are using
RSA ACE/Agent Network as a root authority, enter the location of the sdroot.crt
file, and then click Next. Otherwise, leave this field blank, and then click Next.
9. On the Location of RSA Ace/Server configuration record “sdconf.rec”
page, browse to the location of the RSA ACE/Server record file, and then click
Next.

RSA SecurID and Microsoft Mobile Information Server 2002 Integration 13


10. If you want to register your RSA product, click to select Register now, and
then click Next.
11. On the Setup Complete page, click Yes to restart your computer.
Note you must restart the computer after you install RSA ACE/Agent.

The RSA ACE/Agent is now installed on your MIS server. You must now configure
your MIS server to use the RSA ACE/Agent to protect the IIS virtual directories
that you want the RSA ACE/Agent to protect.

Activate the RSA ACE/Agent on the MIS Server

After you install the RSA ACE/Agent on the MIS server, you must activate the
RSA ACE/Agent to protect the IIS virtual directories that you will make available to
your users.

To activate the RSA ACE/Agent to protect the MIS IIS virtual directories
1. Log on to the MIS server with an account that has Administrator permissions on
the local computer.
2. In the Internet Services Manager Microsoft Management Console (MMC)
snap-in, right-click Default Web Site, click Properties, and then click the
RSA SecurID tab.
3. Click to select Enable RSA Web Access Authentication Feature set on this
server, and then click Apply.
4. Make sure that the Protect this resource check box is cleared, and then click
OK.
WARNING Do not select Protect this resource. If you select this
check box, certain MIS features, such as Server ActiveSync and Outlook
Mobile Access notifications, will stop functioning.
5. Stop and restart the IIS Web publishing service.

Configure the RSA ACE/Agent to Protect MIS Virtual Directories


After you activate the RSA ACE/Agent on the MIS server, you must configure
the RSA ACE/Agent to protect the IIS virtual directories In, OMA, and OMA55.
WARNING Do not protect any other MIS virtual directory with the
RSA ACE/Agent.

To protect the In, OMA, and OMA55 virtual directories


1. Log on with an account that has Administrator permissions on the local
computer.
2. In the Internet Services Manager MMC snap-in, right-click Default Web
Site, and then click Properties
3. Right-click the OMA virtual directory, and then click Properties.
4. Click the RSA SecurID tab.

RSA SecurID and Microsoft Mobile Information Server 2002 Integration 14


5. To protect this virtual directory with the RSA ACE/Agent, click to select Protect
this resource, and then click OK.
The OMA virtual directory is now protected by the RSA ACE/Agent. Users who want
to access the OMA virtual directory to browse their Exchange 2000 mailbox must
now use the RSA SecurID authenticator with their MIS password to authenticate.

If you want to protect the OMA55 and In virtual directories, follow the previous
procedure for both virtual directories.

After you protect the In, OMA, and OMA55 virtual directories, you can proceed
with configuring your MIS server as explained in the MIS product documentation.

Tell Your Users How to Use the RSA SecurID Authenticator

To use the RSA SecurID authenticator to enter passcodes, your uses must
understand how passcodes are generated so they can use the two-factor
authentication process. After you deploy the RSA ACE/Agent with MIS, distribute
the RSA SecurID authenticators and then describe in detail how users must use the
RSA SecurID authenticators to access MIS.

Instructions describing the logon process are included with the RSA ACE/Agent
software. The document is located in the following location:

%Systemroot%\system32\aceclnt\rsa.pin.doc

For more information about logging on with RSA SecurID authenticators, see the
online tutorial available at
http://www.rsasecurity.com/products/securid/demos/SecurIDTour/RSASecurIDTour.
html

Conclusion
Using RSA SecurID with MIS greatly enhances the security of authenticating to a
network resource with WAP 1.x devices. When requests for information come in
from the Internet, the RSA ACE/Server, RSA ACE/Agent, and the MIS server work
together with the user, his or her device, and his or her RSA SecurID authenticator
to provide secure access to your internal network.

Combined with security solutions such as Secure Sockets Layer (SSL), Internet
Protocol security (IPSec), and Microsoft Internet Security and Acceleration Server
(ISA) as a front-end server, RSA SecurID enhances the security of your internal
network.

Additional Resources
For more information:

http://www.microsoft.com/miserver/

http://www.rsasecurity.com

http://www.rsasecurity.com/products/securid/datasheets/dsace50.html

RSA SecurID and Microsoft Mobile Information Server 2002 Integration 15


http://www.rsasecurity.com/products/securid/index.html

http://www.rsasecurity.com/products/securid/demos/SecurIDTour/RSASecurIDTour.
html

Did this paper help you? Please give us your feedback. On a scale of 1 (poor) to
5 (excellent), how would you rate this paper?

mailto:exchdocs@microsoft.com?subject=Feedback: RSA SecurID and Microsoft


Mobile Information Server 2002 Integration

   

RSA SecurID and Microsoft Mobile Information Server 2002 Integration 16


The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of
publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part
of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS
TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give
you any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and
events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo,
person, place or event is intended or should be inferred.

 2002 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, ActiveSync, Outlook, and Windows are either registered trademarks or trademarks of Microsoft Corporation in
the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

RSA SecurID and Microsoft Mobile Information Server 2002 Integration 17