I'm trying to integrate Forefront TMG and RDS with SecurID authentication. I believe I'm very close to having it working, but I'm hitting a brick wall.
I have "require pre-authentication" set, and "pre-authentication server name" configured, as indicated in so many forum posts and HOWTOs.
No matter what I do, clients receive the error "authentication to the firewall failed due to missing firewall credentials." This isafter they have already successfully authenticated and visited the /RDWeb pages.
Using the TMG logs, procmon, and wireshark, I am 100% certain that no network activity is occurring from the RDP client when this error occurs; this error is being generated entirely on the client side, before it attempts to connect to anything. I understand that this is what is expected; it is checking for the existence of a cookie.
But the cookie doesn't exist. Why? Because nothing is setting one. The only cookies the client receives during the entire process (logging in to rdweb and trying to launch an app) are the SecurID domain SSO cookie I set in TMG, and the persistent authentication cookie I also set in TMG. RDweb itself is not issuing any cookie at all.
Can anyone please explain to me, what specific cookie is the RDP client looking for when "require pre-authentication" is enabled? And which component is meant to be setting it?
Obviously I'd be very grateful if anyone can tell me "run this command and it will start working" or whatever, but I'm really hoping to gain an engineering-level understanding of how it'smeant to work ;)