Walk-through for RSA SecurID Authentication for IAG 2007 – Part 1 of 2

RSA Authentication Manager Server Configuration


Disclaimer: Many of the steps outlining the configuration of the RSA Authentication Manager software are not directly supported by Microsoft. They should be used as a guideline to help familiarize and guide you in this configuration.  For additional assistance in directly configuring the RSA Authentication Manager Software, please review your RSA SecurID documentation.


Creating Users and Agent Hosts


          Import Tokens from Seeds files

The seed can be an *.asc or *.xml file and is typically supplied with the token<s>.  The seed is the tokens’ factory encoded random key.  Each token has a unique key (seed).  The seed file is imported into the associated RSA Authentication Manager server.

          Add users and assign a Token to each user

User accounts information is added to the RSA Authentication Manager.  These accounts can be AD accounts or manually created.  Each account created is assigned a Token.

Figure 1

          Synchronize the Token

Each Token has a built-in clock that must be in sync with the RSA Authentication Managers’ clock.  If the Tokens’ clock is out of sync, authentication will fail.  It is typically a good idea to synchronize the Token after assigning it to a user. 

          Create Agent Host

Agent Hosts are servers or devices that directly authenticate against the RSA Authentication Manager.  In this case, the Agent Host is the IAG server.

          Use the resolvable FQDN for the Agent Host

When creating the Agent Host entry, make sure to use the Fully Qualified Domain Name of the IAG server.  Also make sure that the RSA Authentication Manager server can correctly resolve this FQDN to the correct internal IP address of the IAG server.

          Select “Net OS Agent” as the Agent Type

Figure 2


          Activate Users on the Agent Host.

For any Agent Host to successfully authenticate a user, that users account must be Activated on that Agent Host.

Figure 3


Create Configuration Files and Node Secrets


          Create SDCONF.REC file for the Agent Host

The SDCONF.REC can be generated for each Agent Host.  Or a single SDCONF.REC can be generated for all Agent Hosts.  The SDCONF.REC contains RSA Authentication Manager configuration information.  This includes ports, processes, etc., essential to the authentication service.

          Copy each SDCONF.REC file from the RSA Authentication Manager to its matching Agent Host computer (i.e. IAG server).  Copy to  …\system32 folder on the IAG server.



Richard Barker

Security Support Engineer – ISA/IAG Team

Microsoft – NC

Comments (2)

  1. Anonymous says:

    Last post we reviewed the RSA Agent configuration, now we are going to cover the IAG. IAG 2007 Configuration

  2. Rajesh Kumar C D (Celestix) says:

    In ISA –> Firewall –> System policy –> by default RSA configuration will be disabled. We need to enable that configuration also. This is not mentioned in this Blogs

Skip to main content