I recently got a case where the ISA Server stops authenticating the Clients. It might fail after a restart or after a time frame.

This started happening after they upgraded their RSA Server to the new version.
 
Tracing:
The ISA Tracing shows the following.
 
05579 [0]49c.2e0 05/03/2013-20:17:38.363 [049c41f9 049c41fb] [WP_TRAFFIC public TrRecvFromClientNoServer IsaTracePub_WP_TRAFFIC.h@47] Noise:(1.1.1.1:51763 ==> 2.2.2.2:443)   (no server connection), 652 bytes, "POST /CookieAuth.dll?Logon HTTP/1.1..Accept: text/html, application/xhtml+xml, */*..Referer: https://apmail.whitecase.com/CookieAuth.dll?GetLogon?curl=Z2Fexchange&reason=0&formdir=1..Accept-Language: en-GB..User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)..Content-Type: application/x-www-form-urlencoded..Accept-Encoding: gzip, deflate..Host: apmail.whitecase.com..Content-Length: 171..DNT: 1..Connection: Keep-Alive..Cache-Control: no-cache....stage=useridandpasscode&curl=Z2Fexchange&flags=0&sessionid=0&forcedownlevel=0&formdir=1&trusted=0&userid=username&password=abcxyz123Down&passcode=12345678&SubmitCreds=Log+On", 0(ERROR_SUCCESS)
05727 [0]49c.2e0 05/03/2013-20:17:38.364 [049c41f9 049c41fb] [SECURIDFLT filter CSecurIDAuthenticationProvider::CallLogon SecurIDAuthProvider.cpp@833] Info: WPPISAPUBLIC:Context property:Logon stage = useridandpasscode
05732 [0]49c.2e0 05/03/2013-20:17:38.364 [049c41f9 049c41fb] [SECURIDFLT filter SecurIDAuthProvider.cpp@2819] Entering CSecurIDAuthenticationProvider::PassCode
05735 [0]49c.2e0 05/03/2013-20:17:38.364 [049c41f9 049c41fb] [SECURIDFLT filter CSecurIDAuthenticationProvider::PassCode SecurIDAuthProvider.cpp@2910] Info:Validating passcode with Ace/Server
06016 [1]49c.2e0 05/03/2013-20:17:40.819 [049c41f9 049c41fb] [SECURIDFLT filter CSecurIDAuthenticationProvider::PassCode SecurIDAuthProvider.cpp@2964] Info:Passcode rejected for username.
 
Interesting part on this case was that the ISA Server will fail authenticating the client but the SDTest will pass.
 
Resolution:
We found out that the “secureid” version was different in the ISA Folder.
For the ISA to work with the Secure ID we need the following file and the below location:
Files:

1.    SDCONF.REC

2.    Secureid

Location:

1.    C:\windows\system32\

2.    C:\Program Files\Microsoft ISA Server\SDCONFIG

In this case the “secureid” file was missing from the ISA directory. Once we placed the files in it started working as expected.

In case of the RSA Server upgrade the above files needs to be replaced with the new one.
Kumar Jayant
Senior Support Engineer.
Microsoft CSS.