Manually creating the node secret for RSA Authenticaiton Manager fails on Microsoft Forefront Threat Management Gateway
Originally Published: 2018-12-25
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
In order for the TMG server to successfully authenticate with Authentication Manager, a node secret must be established between the Authentication Manager server and the TMG server.
Unlike other authentication agents the node secret is not created automatically during first successful authentication between the TMG and the Authentication Manager server. Because of this it is required that the node secret be created manually on the TMG via command line, but running the command Agent_nsload.exe –f nodesecret.rec –p <password> fails to generate the node secret:
Loading Node Secret….
Error retrieving sdconf.rec
ERROR! Can’t find file, C:\WINDOWS\System32<garbage characters>
Additionally, if you copy agent_nsload.exe and nodesecret.rec to the <windir>\System32 directory and execute agent_nsload.exe from the <windir>\System32 folder, you may receive the following error:
Loading Node Secret….
Error retrieving sdconf.rec
ERROR! Cannot determine target filename.
You may receive the error message above even when a valid copy of the dconf.rec exists in the <windir>\System32 directory.
Cause
The AGENT_NSLOAD.exe requires data from the sdconf.rec file to successfully establish the node secret. When run on a 32-bit version of Windows, the Agent_nsload.exe attempts to read the sdconf.rec from <windir>\System32, but when run on an x64 version of Windows, it attempts to read the sdconf.rec from <windir>\sysWOW64. Because it is unable to locate sdconf.rec in the <windir>\sysWOW64 folder, it fails with one of the errors listed above.
Resolution
- Copy the following files to the <windir>\sysWOW64 folder:
- Agent_nsload.exe
- nodesecret.rec
- sdconf.rec
- Execute the following command from the <windir>\sysWOW64 folder:
Agent_nsload.exe –f nodesecret.rec –p <password>
- The Agent_nsload.exe will then create the node secret file named securid with no file extension the <windir>\sysWOW64 directory.
- You can then copy the newly created securid file to the following directories:
- <windir>\System32, where it will be used with TMG versions of the sdtest.exe utility
- <TMG install folder>\sdconfig, for use by TMG for SecurID authentication.
Notes
Related Articles
Refresh the Node Secret Number of Views User initially shows passcode accepted and node secret sent, but second authentication fails with node secret mismatch: cl… Number of Views Authentication Manager Node secret mismatch on TMG or UAG Number of Views Manage the Node Secret Number of Views How to recreate the node secret for RADIUS Server in RSA Authentication Manager 8.x Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process RSA Release Notes for RSA Authentication Manager 8.8 RSA RADIUS Server service failed to start in the RSA Authentication Manager 8.1 Operations Console Microsoft Entra ID External MFA - Relying Party Configuration Using OIDC - RSA Ready Implementation Guide RSA Release Notes: Cloud Access Service and RSA Authenticators
Don't see what you're looking for?
