Problem
You are attempting to configure SecurID authentication on the TMG server. In order for the TMG server to successfully authenticate with the RSA Authentication Manager, a Node Secret must be established between the RSA Authentication Manager and the TMG server.
One method that can be used to create the Node Secret is to use the AGENT_NSLOAD.exe utility provided by RSA. Please see the following Blog for more information regarding establishing the Node Secret using AGENT_NSLOAD.exe
http://blogs.technet.com/isablog/archive/2008/02/07/walk-through-for-rsa-securid-authentication-for-isa-server-2006-part-2-isa-array-members-preparation.aspx
When you attempt to manually create the Node Secret on the TMG server using the following command:
Agent_nsload.exe –f nodesecret.rec –p <password>
You may receive the following error:
Loading Node Secret….
Error retrieving sdconf.rec
ERROR! Can’t find file, C:\WINDOWS\system32<garbage characters>
Additionally, if you copy agent_nsload.exe and nodesecret.rec to the <windir>\system32 folder and execute agent_nsload.exe from the <windir>\system32 folder, you may receive the following error:
Loading Node Secret….
Error retrieving sdconf.rec
ERROR! Cannot determine target filename.
NOTE: You may receive the above error message even when a valid copy of sdconf.rec exists in the <windir>\system32 folder.
Explanation
TMG is only supported on Windows 2008. Windows 2008 is a 64-bit (x64) operating system which includes a feature called File System Redirector. When a 32-bit application attempts to install or read/write to/from the <windir>\system32 directly, the file system redirection intercepts the call and it gets redirected to <windir>\sysWOW64.
AGENT_NSLOAD.exe requires data from the sdconf.rec file to successfully establish the node secret. When run on a 32-bit version of Windows, Agent_nsload.exe attempts to read the sdconf.rec from <windir>\system32, but when run on an x64 version of Windows, it attempts to read the sdconf.rec from <windir>\sysWOW64. Because it is unable to locate sdconf.rec in the <windir>\sysWOW64 folder, it fails with one of the above errors.
Resolution
COPY the follow files to the <windir>\sysWOW64 folder:
Agent_nsload.exe
Nodesecret.rec
Sdconf.rec
Execute the following command from the <windir>\sysWOW64 folder:
Agent_nsload.exe –f nodesecret.rec –p <password>
Agent_nsload.exe will create then create the node secret file (securid <no extension>) in the <windir>\sysWOW64 folder.
You can then copy the newly created node secret (securid) to the following folders:
-<windir>\system32 – to be used with TMG versions of the SDTEST.exe utility
-<TMG install folder>\sdconfig – to used by TMG for SecurID authentication.
Author
Richard Barker
Sr. Security Support Engineer
Microsoft CSS Forefront Edge Team
Additional note; make sure to run Agent_nsload.exe from a Command Prompt with elevated privileges, even when logged in as an admin. (i.e. "run as administrator")
Otherwise the securid file will end up in C:User<myaccount>AppDataLocalVirtualStoreWindowsSysWOW64