Walk-through for RSA SecurID Authentication for ISA Server 2006 Part 2: ISA Array Members Preparation

  • Article

• System Policy Rules and Registry Values

• Enable the SecurID System policy rule on each ISA Array Member

 

• Add the following String Value registry entry on each ISA Array Member (and then restart the Firewall service):

PrimaryInterfaceIP

HKEY_LOCAL_MACHINE\Software\SDTI\AceClient

Where the string value of PrimaryInterfaceIP is the IP address assigned to the interface that communicates with the RSA Server.

 

• Create Node Secret on each ISA array member

• There are two separate options available for creating the Node Secret on the ISA Array members.

1. If you manually created the node secret on the RSA Server and then copied NODESECRET.REC (and AGENT_NSLOAD.EXE) to the respective ISA Array member <s>…

• On each ISA server, run the following from a command prompt:

AGENT_NSLOAD.EXE –f NODESECRET.REC –p <node secret password>

This creates the Node Secret file (SECURID) in the <windir>\system32 folder.

• Copy SECURID from …\system32 to …\Microsoft ISA Server\sdconfig

2. If you did not previously create the Node Secrets on the RSA Server, you can manually create the Node Secrets on each ISA Array member by using the SDTEST.EXE utility

• On each ISA Server, run the SDTEST.EXE utility. This utility allows you test user authentication from an Agent Host to the RSA Authentication Manager Server. Upon a successful user authentication, the Node Secret file (SECURID) will be created in the <windir>\system32 folder.

 

• Copy SECURID from <windir>\system32 to …\Microsoft ISA Server\sdconfig

Additional Notes on using the SDTEST.EXE utility…

•  If this is the first time authenticating to the RSA server with this user, you may be prompted to create a PIN. If so, enter a new PIN number. When a new PIN is created, the RSA authentication Passcode for this user will now be:

<PIN><passcode displayed on the token>

•  SDTEST.EXE tool (RSA Test Authentication Utility) is available for download at:

http://www.microsoft.com/technet/isa/downloads/2006/tools/default.mspx

The SDTEST Authentication Utility is used to verify that a computer running ISA Server can authenticate to a computer running RSA Authentication Manager. Note the following: SDTEST.EXE requires the SDCONF.REC to be located in the …\system32 folder to run and test authentication successfully. However, for ISA server to successfully authenticate to the RSA server, SDCONF.REC must be located in the ..\Microsoft ISA Server\sdconfig folder. Also note that SDTEST.EXE does not require a Node Secret to authenticate, but the ISA Server does require a Node Secret to authenticate.

Richard Barker

Security Support Engineer