This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Manually creating the node secret for RSA Authenticaiton Manager fails on Microsoft Forefront Threat Management Gateway

Article Number

000037055

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x

Issue

This article explains how to configure SecurID authentication on the Microsoft Forefront Threat Management Gateway (TMG) server.

In order for the TMG server to successfully authenticate with Authentication Manager, a node secret must be established between the Authentication Manager server and the TMG server.

Unlike other authentication agents the node secret is not created automatically during first successful authentication between the TMG and the Authentication Manager server.  Because of this it is required that the node secret be created manually on the TMG via command line, but running the command Agent_nsload.exe –f nodesecret.rec –p <password> fails to generate the node secret: 
Loading Node Secret…. 
Error retrieving sdconf.rec 
ERROR! Can’t find file, C:\WINDOWS\System32<garbage characters>
Additionally, if you copy agent_nsload.exe and nodesecret.rec to the <windir>\System32 directory and execute agent_nsload.exe from the <windir>\System32 folder, you may receive the following error: 
Loading Node Secret…. 
Error retrieving sdconf.rec 
ERROR! Cannot determine target filename.
 

You may receive the error message above even when a valid copy of the dconf.rec exists in the <windir>\System32 directory.

Cause

TMG is only supported on Windows 2008. Windows 2008 is a 64-bit (x64) operating system which includes a feature called File System Redirector. When a 32-bit application attempts to install or read/write to/from the <windir>\System32 directly, the file system redirection intercepts the call and it gets redirected to <windir>\sysWOW64.

The AGENT_NSLOAD.exe requires data from the sdconf.rec file to successfully establish the node secret. When run on a 32-bit version of Windows, the Agent_nsload.exe attempts to read the sdconf.rec from <windir>\System32, but when run on an x64 version of Windows, it attempts to read the sdconf.rec from <windir>\sysWOW64. Because it is unable to locate sdconf.rec in the <windir>\sysWOW64 folder, it fails with one of the errors listed above.

Resolution

  1. Copy the following files to the <windir>\sysWOW64 folder:
  • Agent_nsload.exe 
  • nodesecret.rec 
  • sdconf.rec
  1. Execute the following command from the <windir>\sysWOW64 folder:
Agent_nsload.exe –f nodesecret.rec –p <password>
 
  1. The Agent_nsload.exe will then create the node secret file named securid with no file extension the <windir>\sysWOW64 directory.
  2. You can then copy the newly created securid file to the following directories:
  • <windir>\System32, where it will be used with TMG versions of the sdtest.exe utility 
  • <TMG install folder>\sdconfig, for use  by TMG for SecurID authentication.

Notes

Make sure to run Agent_nsload.exe from a command prompt with elevated privileges, even when logged in as an administrtor. (i. e. run as administrator), otherwise the securid file will end up in C:\User<myaccount>AppDataLocalVirtualStoreWindowsSysWOW64.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 06:43 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.