|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
|Issue||This article explains how to configure SecurID authentication on the Microsoft Forefront Threat Management Gateway (TMG) server.|
In order for the TMG server to successfully authenticate with Authentication Manager, a node secret must be established between the Authentication Manager server and the TMG server.
Unlike other authentication agents the node secret is not created automatically during first successful authentication between the TMG and the Authentication Manager server. Because of this it is required that the node secret be created manually on the TMG via command line, but running the command Agent_nsload.exe –f nodesecret.rec –p <password> fails to generate the node secret:
Additionally, if you copy agent_nsload.exe and nodesecret.rec to the <windir>\System32 directory and execute agent_nsload.exe from the <windir>\System32 folder, you may receive the following error:
You may receive the error message above even when a valid copy of the dconf.rec exists in the <windir>\System32 directory.
|Cause||TMG is only supported on Windows 2008. Windows 2008 is a 64-bit (x64) operating system which includes a feature called File System Redirector. When a 32-bit application attempts to install or read/write to/from the <windir>\System32 directly, the file system redirection intercepts the call and it gets redirected to <windir>\sysWOW64.|
The AGENT_NSLOAD.exe requires data from the sdconf.rec file to successfully establish the node secret. When run on a 32-bit version of Windows, the Agent_nsload.exe attempts to read the sdconf.rec from <windir>\System32, but when run on an x64 version of Windows, it attempts to read the sdconf.rec from <windir>\sysWOW64. Because it is unable to locate sdconf.rec in the <windir>\sysWOW64 folder, it fails with one of the errors listed above.
|Notes||Make sure to run Agent_nsload.exe from a command prompt with elevated privileges, even when logged in as an administrtor. (i. e. run as administrator), otherwise the securid file will end up in C:\User<myaccount>AppDataLocalVirtualStoreWindowsSysWOW64.|