Manually creating the SecurID Node Secret fails on Forefront TMG.


Problem

You are attempting to configure SecurID authentication on the TMG server. In order for the TMG server to successfully authenticate with the RSA Authentication Manager, a Node Secret must be established between the RSA Authentication Manager and the TMG server.

One method that can be used to create the Node Secret is to use the AGENT_NSLOAD.exe utility provided by RSA. Please see the following Blog for more information regarding establishing the Node Secret using AGENT_NSLOAD.exe
http://blogs.technet.com/isablog/archive/2008/02/07/walk-through-for-rsa-securid-authentication-for-isa-server-2006-part-2-isa-array-members-preparation.aspx

When you attempt to manually create the Node Secret on the TMG server using the following command:

Agent_nsload.exe –f nodesecret.rec –p <password>

You may receive the following error:

Loading Node Secret….
Error retrieving sdconf.rec
ERROR! Can’t find file, C:\WINDOWS\system32<garbage characters>

Additionally, if you copy agent_nsload.exe and nodesecret.rec to the <windir>\system32 folder and execute agent_nsload.exe from the <windir>\system32 folder, you may receive the following error:

Loading Node Secret….
Error retrieving sdconf.rec
ERROR! Cannot determine target filename.

NOTE: You may receive the above error message even when a valid copy of sdconf.rec exists in the <windir>\system32 folder.

Explanation

TMG is only supported on Windows 2008. Windows 2008 is a 64-bit (x64) operating system which includes a feature called File System Redirector. When a 32-bit application attempts to install or read/write to/from the <windir>\system32 directly, the file system redirection intercepts the call and it gets redirected to <windir>\sysWOW64.

AGENT_NSLOAD.exe requires data from the sdconf.rec file to successfully establish the node secret. When run on a 32-bit version of Windows, Agent_nsload.exe attempts to read the sdconf.rec from <windir>\system32, but when run on an x64 version of Windows, it attempts to read the sdconf.rec from <windir>\sysWOW64. Because it is unable to locate sdconf.rec in the <windir>\sysWOW64 folder, it fails with one of the above errors.

Resolution

COPY the follow files to the <windir>\sysWOW64 folder:

Agent_nsload.exe
Nodesecret.rec
Sdconf.rec

Execute the following command from the <windir>\sysWOW64 folder:

Agent_nsload.exe –f nodesecret.rec –p <password>

Agent_nsload.exe will create then create the node secret file (securid <no extension>) in the <windir>\sysWOW64 folder.

You can then copy the newly created node secret (securid) to the following folders:

-<windir>\system32 – to be used with TMG versions of the SDTEST.exe utility
-<TMG install folder>\sdconfig – to used by TMG for SecurID authentication.

Author
Richard Barker
Sr. Security Support Engineer
Microsoft CSS Forefront Edge Team


Comments (1)

  1. Dan says:

    Additional note; make sure to run Agent_nsload.exe from a Command Prompt with elevated privileges, even when logged in as an admin. (i.e. "run as administrator")

    Otherwise the securid file will end up in C:User<myaccount>AppDataLocalVirtualStoreWindowsSysWOW64