• Microsoft Forefront Threat Management Gateway (TMG) 2010 can only create node secrets in the old format.
• RSA Authentication Agent for Windows 7 and higher can only create node secrets in the new format.
• RSA Authentication Agent for Windows 7.0.x can read old node secrets, but RSA Authentication Agent 7.1 and up cannot.

If you use RSA Security Center agent 7.0.2 (or above) for Windows Server 2008 to create a node secret, Microsoft TMG will not be able to use it.  It makes a stronger encrypted version of the node secret, but the TMG can only use a legacy node secret.

The fix is to have Microsoft TMG create the node secret first, and then edit the registry and change the path to the AuthData directory to point to the directory in which Microsoft TMG created it's node secret.

RSA Authentication Agent 7.0.2 can use an older legacy node secret.  However, the agents running 7.1 and above cannot use this workaround as it will not work.

1. Clear all node secrets.
2. Perform a test login with sdtest provided by Microsoft TMG to create the legacy version node secret.
3. Prove TMG logins now work using the new node secret.
4. Run agent_nsload with the conversion option to upgrade the node secret where newdir is a directory you create just as a location to receive a converted node secret.

   agent_nsload -c <source file> <output directory>

    
   For example,

   agent_nsload -c c:\windows\system32\securid c:\newdir\

    
5. Now copy or move the new converted node secret to the \AuthData directory for the RSA Authentication Agent.  Typically this will be C:\Program Files\Common Files\RSA Shared\Auth Data.
6. TMG will now use the old node secret format in windows\system32 or <tmg home>\sdconfig and the RSA authentication agent will use the same node secret, but in the new format, in AuthData.