000035798 - Node secret issues in Microsoft Forefront Threat Management Gateway (TMG) 2010/Unified Access Gateway (UAG) and RSA Authentication Agent 7.1 or higher

Document created by RSA Customer Support Employee on Jan 6, 2018Last modified by RSA Customer Support Employee on Jan 9, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035798
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.x
Platform: Microsoft Forefront Threat Management Gateway (TMG) 2010
Platform (Other): Windows Server 2008
  • Microsoft Forefront Threat Management Gateway (TMG) 2010 can only create node secrets in the old format.
  • RSA Authentication Agent for Windows 7 and higher can only create node secrets in the new format.
  • RSA Authentication Agent for Windows 7.0.x can read old node secrets, but RSA Authentication Agent 7.1 and up cannot.

If you use RSA Security Center agent 7.0.2 (or above) for Windows Server 2008 to create a node secret, Microsoft TMG will not be able to use it.  It makes a stronger encrypted version of the node secret, but the TMG can only use a legacy node secret.

The fix is to have Microsoft TMG create the node secret first, and then edit the registry and change the path to the AuthData directory to point to the directory in which Microsoft TMG created it's node secret.
RSA Authentication Agent 7.0.2 can use an older legacy node secret.  However, the agents running 7.1 and above cannot use this workaround as it will not work.

ResolutionPerform the steps below to resolve the issue.
  1. Clear all node secrets.
  2. Perform a test login with sdtest provided by Microsoft TMG to create the legacy version node secret.
  3. Prove TMG logins now work using the new node secret.
  4. Run agent_nsload with the conversion option to upgrade the node secret where newdir is a directory you create just as a location to receive a converted node secret.

    agent_nsload -c <source file> <output directory>

    For example,

    agent_nsload -c c:\windows\system32\securid c:\newdir\

  5. Now copy or move the new converted node secret to the \AuthData directory for the RSA Authentication Agent.  Typically this will be C:\Program Files\Common Files\RSA Shared\Auth Data.
  6. TMG will now use the old node secret format in windows\system32 or <tmg home>\sdconfig and the RSA authentication agent will use the same node secret, but in the new format, in AuthData.
If you are unsure of any of the steps above or experience any issues, contact RSA Customer Support and quote this article number for further assistance.