000016555 - Installing RSA Authentication Agent 7.2.1 (LAC) and Web Agent 7.1.1 on same machine

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016555
Applies ToRSA Authentication Agent 7.0.2 for web
RSA Authentication Agent 7.0.1 for Windows
Windows 2008 server
IssueInstalling RSA Authentication Agent 7.2.1 (LAC) and Web Agent 7.1.1 on same machine
Using the RSA Authentication Agent 7.0.2 for web on the same machine as the RSA Authentication Agent 7.0.1 for Windows 
Installing RSA Agent for web and local authentication client on 2008 server causes "Node verification failure" message in the log

Node verification failure


RSA SecurID agents store a dynamically generated encryption key in a file known as a 'node secret'. 

  • The RSA Authentication Agent 7.0.2 for web creates node secret as a file in the Windows system32 folder called securid (for example C:\Windows\System32\securid).

  • The RSA Authentication Agent 7.0.1for Windows creates node secret in the Common Files location (for example C:\Program Files\Common Files\RSA Shared\Auth Data)

This means that with a default installation, one agent cannot use the node secret created and stored by the other.


This has been identified as a defect and a workaround is provided here. The below steps are applicable to all newer build of Agents.




1. Install RSA Authentication Agent 7.0.2 Web on 2008 server.

2. Define the web server as Agent host on Authentication Manager.

3. Perform the authentication test in Security center.

4. Enable SecurID on a web site and restart IIS services.

5. Test the authentication from browser.

6. Install RSA Authentication Agent 7.0.x for Windows.

7. Restart the machine.

8. Edit the registry. Start --- > run ----> regedit. Edit the following registry key to have the value as shown

    Key type: (REG_SZ)

    HKLM\SOFTWARE\RSASecurity\RSA Authentication Agent\AuthDataDir = C:\Windows\System32

9. Navigate to Administrative tools services panel. Restart RSA Agent service offline local authentication service.

10. Launch RSA Security center and perform authentication test on Windows Agent.

11. If the above works, enable SecurID on a group and login as SecurID challenged user.


Now both Agents will work on same web server enabling to protect the desktop and web sites as well.



 Refer RSA Authentication Agent 7.1 for Web for IIS 7.0 and 7.5 Installation and Configuration Guide, page 22 for details.

Co-existence of the WebAgent and the Windows Agent
If the WebAgent is installed on a machine, that already has the Windows Agent installed on it and if both the agents are configured to use the same Authentication Manager, the administrator has to perform some configuration steps for the agents
to work together.

Follow the guidelines below to complete configuration steps for the agents to work together:

1. As the agent host for Windows Agent has already been registered in the Authentication Manager, the administrator must use the same agent host entry for the WebAgent. For more information on this, see Chapter 2, ?Preparing for

2. If the Windows agent is working successfully with the Authentication manager, the node secret will already be present in the agent host. The administrator should use the same node secret with the WebAgent. As the node secret format is
different for the Windows Agent and the WebAgent, the administrator should first convert the node secret to the WebAgent format using the agent_nsload utility.
The agent_nsload utility is available with the Authentication SDK. To download the Authentication SDK, please go to https://knowledge.rsasecurity.com/scolcms/set.aspx?id=8635. Refer the documentation available with the SDK kit to find how to use the utility.

The name of the node secret file should be securid. After the node secret is converted, copy it to the Web Agent installation location.
Note: The default location of the node secret is C:\Program Files\RSA Security\RSAWebAgent.
3. Restart the IIS Web Server.

At the time of writing the command to convert the node secret is

agent_nsload -c <Existing_Securid_file_path> <New_Securid_dir_path>

Legacy Article IDa52620