Manually creating the SecurID Node Secret fails on Forefront TMG.

  • Article

Problem

You are attempting to configure SecurID authentication on the TMG server. In order for the TMG server to successfully authenticate with the RSA Authentication Manager, a Node Secret must be established between the RSA Authentication Manager and the TMG server.

One method that can be used to create the Node Secret is to use the AGENT_NSLOAD.exe utility provided by RSA. Please see the following Blog for more information regarding establishing the Node Secret using AGENT_NSLOAD.exe
http://blogs.technet.com/isablog/archive/2008/02/07/walk-through-for-rsa-securid-authentication-for-isa-server-2006-part-2-isa-array-members-preparation.aspx

When you attempt to manually create the Node Secret on the TMG server using the following command:

Agent_nsload.exe –f nodesecret.rec –p <password>

You may receive the following error:

Loading Node Secret….
Error retrieving sdconf.rec
ERROR! Can’t find file, C:\WINDOWS\system32<garbage characters>

Additionally, if you copy agent_nsload.exe and nodesecret.rec to the <windir>\system32 folder and execute agent_nsload.exe from the <windir>\system32 folder, you may receive the following error:

Loading Node Secret….
Error retrieving sdconf.rec
ERROR! Cannot determine target filename.

NOTE: You may receive the above error message even when a valid copy of sdconf.rec exists in the <windir>\system32 folder.

Explanation

TMG is only supported on Windows 2008. Windows 2008 is a 64-bit (x64) operating system which includes a feature called File System Redirector. When a 32-bit application attempts to install or read/write to/from the <windir>\system32 directly, the file system redirection intercepts the call and it gets redirected to <windir>\sysWOW64.

AGENT_NSLOAD.exe requires data from the sdconf.rec file to successfully establish the node secret. When run on a 32-bit version of Windows, Agent_nsload.exe attempts to read the sdconf.rec from <windir>\system32, but when run on an x64 version of Windows, it attempts to read the sdconf.rec from <windir>\sysWOW64. Because it is unable to locate sdconf.rec in the <windir>\sysWOW64 folder, it fails with one of the above errors.

Resolution

COPY the follow files to the <windir>\sysWOW64 folder:

Agent_nsload.exe
Nodesecret.rec
Sdconf.rec

Execute the following command from the <windir>\sysWOW64 folder:

Agent_nsload.exe –f nodesecret.rec –p <password>

Agent_nsload.exe will create then create the node secret file (securid <no extension>) in the <windir>\sysWOW64 folder.

You can then copy the newly created node secret (securid) to the following folders:

-<windir>\system32 – to be used with TMG versions of the SDTEST.exe utility
-<TMG install folder>\sdconfig – to used by TMG for SecurID authentication.

Author
Richard Barker
Sr. Security Support Engineer
Microsoft CSS Forefront Edge Team