Node secret issues in Microsoft Forefront Threat Management Gateway (TMG) 2010/Unified Access Gateway (UAG) and RSA Authentication Agent 7.1 or higher
RSA Product Set: SecurID RSA Product/Service Type: Authentication Agent for Windows RSA Version/Condition: 7.x Platform: Microsoft Forefront Threat Management Gateway (TMG) 2010 Platform (Other): Windows Server 2008
Microsoft Forefront Threat Management Gateway (TMG) 2010 can only create node secrets in the old format.
RSA Authentication Agent for Windows 7 and higher can only create node secrets in the new format.
RSA Authentication Agent for Windows 7.0.x can read old node secrets, but RSA Authentication Agent 7.1 and up cannot.
If you use RSA Security Center agent 7.0.2 (or above) for Windows Server 2008 to create a node secret, Microsoft TMG will not be able to use it. It makes a stronger encrypted version of the node secret, but the TMG can only use a legacy node secret.
The fix is to have Microsoft TMG create the node secret first, and then edit the registry and change the path to the AuthData directory to point to the directory in which Microsoft TMG created it's node secret.
RSA Authentication Agent 7.0.2 can use an older legacy node secret. However, the agents running 7.1 and above cannot use this workaround as it will not work.
Perform the steps below to resolve the issue.
Clear all node secrets.
Perform a test login with sdtest provided by Microsoft TMG to create the legacy version node secret.
Prove TMG logins now work using the new node secret.
Run agent_nsload with the conversion option to upgrade the node secret where newdir is a directory you create just as a location to receive a converted node secret.