000030252 - How to change the location of node secret or sdconf.rec file for the Authentication Agent for Windows 7.2.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030252
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0
IssueThe error Node secret mismatch; cleared on agent but not on server shows on authentication attempts from the agent because non-privileged users did not have the permissions to write to the \Windows\System32 directory on the Epic server, which was using an older Agent API.  
TasksEdit the Registry to modify the default location of the node secret
ResolutionRFE AAWIN-2201 was opened to allow modifying the location of the agent's node secret.  Engineering responded it is possible to make this change through the Windows registry.  The functionality is similar to that of the agent API's rsa_api.properties file, where you can enter SDCONF_LOC= and SDNDSCRT_LOC= for the sdconf.rec and securid node secret locations

This is basically because the work-around of having an administrator perform the first test authentications to create the node secret, or relax the Windows security features enough to allow a user to create the node secret in the RSA default location; \Windows\System32 in older versions of our Windows agent, 
Newer versions of our agent write the node s
ecret to \Program Data\Common Files\RSA Shared\Auth Data to avoid using any of the Windows directories.
To change the location, 

  1. Open the registry key HKLM\SOFTWARE\RSA\RSA Authentication Agent.
  2. There should be a REG_SZ value with the name AuthDataDir.  The default Data value is typically "C:\Program Files\Common Files\RSA Shared\Auth Data."  This AuthDataDir value determines where the agent stores the data files such as the node secret (securid) and sdconf.rec.
Note that some products that use the RSA SecurID API may have slight variations on this value.  For example, since Epic Hyperspace only uses a few select SecurID files, we had to use a different reg key setting.  In this case, using the hive HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Epic Systems Corporation\Hyperspace\RSA Integration with a reg_sz key of ConfigFilePath and a value of C:\ProgramData\Epic\RSAresolved the issue.