000025464 - How to remove RSA ACE/Server node secret when RADIUS is in use and no RSA ACE/Agent is installed

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025464
Applies ToRSA ACE/Server 5.2
RSA ACE/Server 5.1 (no longer supported as of 7-14-2006)
Microsoft Windows 2000
Microsoft Windows 2000 Advanced Server SP4
IssueHow to remove RSA ACE/Server node secret when RADIUS is in use and no RSA ACE/Agent is installed
Error: "Node verification failed"

A "node secret" is a a system generated encryption key used to encrypt client/server traffic.  When an RADIUS ACE/Server option has been enabled and used, the node secret is generated and stored by the system since it functions as an ACE/Agent as well as being the server. When a node secret is generated then stored as a registry key. 


If an agent has also been installed on the same machine, the ACE/Agent control panel applet can be used to clear the node secret (if required); however, if no ACE/Agent has been installed, there is no apparent process to delete the node secret (other than using regedit).


A small utility is available from RSA Customer Support that can be used to delete a node secret. To obtain it, contact RSA Customer Support and refer the engineer to this knowledgebase article. The utility is a simple executable called Node_Secret.exe. When run, a dialog box appears with the question "Do you want to clear the node secret". If you click "Yes", the node secret is deleted from the registry and a success message is displayed. If you click "No", a message appears reminding you that you can do it at a later date.


This utility requires three Microsoft DLLs, these are also supplied with the utility, these are MFC42D.DLL, MFCO42D.DLL and MSVCRT.DLL.


Another option is to install an ACE/Agent on the same machine. This will enable you to remove the node secret and will assist in any troubleshooting if needed.


NOTE:  This utility is designed for, and has only been tested on, Microsoft Windows 2000.

You may use standard Microsoft tools to delete the entire key which is HKEY_LOCAL_MACHINE\SOFTWARE\ACECLIENT\NodeSecret .  Do not simply delete the value, delete the actual named key "NodeSecret"


On Windows 2003 you may use the Microsoft REG.EXE command line functionality to allow for complete manual administration, for example:


To save the current value to a backup file in case a rollback is required:


                    reg save HKLM\SOFTWARE\SDTI\ACECLIENT nodescret.rec


To delete the value


                    reg delete HKLM\SOFTWARE\SDTI\ACECLIENT /v NodeSecret


To restore the saved copy because (due to other factors) the original value needs to be restored)


                   reg restore HKLM\SOFTWARE\SDTI\ACECLIENT nodescret.rec

Legacy Article IDa20410