Manually creating the node secret for RSA Authenticaiton Manager fails on Microsoft Forefront Threat Management Gateway
4 years ago
Originally Published: 2018-12-25
Article Number
000040308
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
This article explains how to configure SecurID authentication on the Microsoft Forefront Threat Management Gateway (TMG) server.

In order for the TMG server to successfully authenticate with Authentication Manager, a node secret must be established between the Authentication Manager server and the TMG server.

Unlike other authentication agents the node secret is not created automatically during first successful authentication between the TMG and the Authentication Manager server.  Because of this it is required that the node secret be created manually on the TMG via command line, but running the command Agent_nsload.exe –f nodesecret.rec –p <password> fails to generate the node secret: 
Loading Node Secret…. 
Error retrieving sdconf.rec 
ERROR! Can’t find file, C:\WINDOWS\System32<garbage characters>
Additionally, if you copy agent_nsload.exe and nodesecret.rec to the <windir>\System32 directory and execute agent_nsload.exe from the <windir>\System32 folder, you may receive the following error: 
Loading Node Secret…. 
Error retrieving sdconf.rec 
ERROR! Cannot determine target filename.
 

You may receive the error message above even when a valid copy of the dconf.rec exists in the <windir>\System32 directory.

Cause
TMG is only supported on Windows 2008. Windows 2008 is a 64-bit (x64) operating system which includes a feature called File System Redirector. When a 32-bit application attempts to install or read/write to/from the <windir>\System32 directly, the file system redirection intercepts the call and it gets redirected to <windir>\sysWOW64.

The AGENT_NSLOAD.exe requires data from the sdconf.rec file to successfully establish the node secret. When run on a 32-bit version of Windows, the Agent_nsload.exe attempts to read the sdconf.rec from <windir>\System32, but when run on an x64 version of Windows, it attempts to read the sdconf.rec from <windir>\sysWOW64. Because it is unable to locate sdconf.rec in the <windir>\sysWOW64 folder, it fails with one of the errors listed above.
Resolution
  1. Copy the following files to the <windir>\sysWOW64 folder:
  • Agent_nsload.exe 
  • nodesecret.rec 
  • sdconf.rec
  1. Execute the following command from the <windir>\sysWOW64 folder:
Agent_nsload.exe –f nodesecret.rec –p <password>
 
  1. The Agent_nsload.exe will then create the node secret file named securid with no file extension the <windir>\sysWOW64 directory.
  2. You can then copy the newly created securid file to the following directories:
  • <windir>\System32, where it will be used with TMG versions of the sdtest.exe utility 
  • <TMG install folder>\sdconfig, for use  by TMG for SecurID authentication.
Notes
Make sure to run Agent_nsload.exe from a command prompt with elevated privileges, even when logged in as an administrtor. (i. e. run as administrator), otherwise the securid file will end up in C:\User<myaccount>AppDataLocalVirtualStoreWindowsSysWOW64.
Don't see what you're looking for?