This article explains how to configure SecurID authentication on the Microsoft Forefront Threat Management Gateway (TMG) server.
In order for the TMG server to successfully authenticate with Authentication Manager, a node secret must be established between the Authentication Manager server and the TMG server.
Unlike other authentication agents the node secret is not created automatically during first successful authentication between the TMG and the Authentication Manager server. Because of this it is required that the node secret be created manually on the TMG via command line, but running the command Agent_nsload.exe –f nodesecret.rec –p <password>fails to generate the node secret:
You may receive the error message above even when a valid copy of the dconf.rec exists in the <windir>\System32 directory.
TMG is only supported on Windows 2008. Windows 2008 is a 64-bit (x64) operating system which includes a feature called File System Redirector. When a 32-bit application attempts to install or read/write to/from the <windir>\System32 directly, the file system redirection intercepts the call and it gets redirected to <windir>\sysWOW64.
The AGENT_NSLOAD.exe requires data from the sdconf.rec file to successfully establish the node secret. When run on a 32-bit version of Windows, the Agent_nsload.exe attempts to read the sdconf.rec from <windir>\System32, but when run on an x64 version of Windows, it attempts to read the sdconf.rec from <windir>\sysWOW64. Because it is unable to locate sdconf.rec in the <windir>\sysWOW64 folder, it fails with one of the errors listed above.
Copy the following files to the <windir>\sysWOW64 folder:
Execute the following command from the <windir>\sysWOW64 folder:
Agent_nsload.exe –f nodesecret.rec –p <password>
The Agent_nsload.exe will then create the node secret file named securid with no file extension the <windir>\sysWOW64 directory.
You can then copy the newly created securid file to the following directories:
<windir>\System32, where it will be used with TMG versions of the sdtest.exe utility
<TMG install folder>\sdconfig, for use by TMG for SecurID authentication.
Make sure to run Agent_nsload.exe from a command prompt with elevated privileges, even when logged in as an administrtor. (i. e. run as administrator), otherwise the securid file will end up in C:\User<myaccount>AppDataLocalVirtualStoreWindowsSysWOW64.