This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Unable to integrate two RSA Authentication Agents for Windows on the same server (Node Verification Mismatch)

Article Number

000030947

Applies To

RSA Product Set: SecurID
RSA Product/Service Type:  Authentication Agent for Windows
RSA Version/Condition: 7.2.1
Platform: Microsoft Windows

Issue

Setting up RSA Authentication Agent 7.2.1 for Windows to protect a Microsoft Windows 2012 R2 server hosting a third-party product that sends native SecurID authentications to an Authentication Manager deployment is failing with Node Verification Mismatch messages being displayed in the Real-Time Authentication Activity monitor.

Cause

By default the User Access Control (UAC) is enabled on the Microsoft Windows 2012 R2 server and this is interfering with the copy task of the node secret.

Resolution

Perform the following steps to deactivate UAC on the Microsoft Windows 2012 server and setup the node secrets appropriately for the RSA Authentication Agent for Windows and the third-party product.
  1. Clear all known node secrets for the RSA Authentication Agent for Windows, from the third-party product and from the authentication agent record found in the Security Console of Authentication Manager.
    1. Navigate to Access > Authentication Agents > Manage Existing
    2. Select the Restricted or Unrestricted tab. depending on the agent type.
    3. Use the search fields to find the agent with the node secret that you want to manage.
    4. Click on the context arrow next to the agent name and choose Manage Node Secret.
    5. Select the Clear Node Secret check box.
    6. Click Save.
  2. To clear the node secret from the RSA Authentication Agent for Windows use the RSA Control Center and click Clear Node Secret then follow the prompts.
Image descriptionImage description

If the deployment is using third party authentication devices such as Check Point, Cisco, SonicWALL, etc., please refer to the third-party documentation on how to clear the node secret from the third-party product.

  1. From the Security Console, navigate to Reporting > Real-Time Activity Monitors > Authentication Activity Monitor.
  2. In the popup window, click Start Monitor.
  3. Following steps provided by Microsoft, deactivate User Access Control (UAC) on the Microsoft Windows 2012 server.  

Performing this step will require a system restart.

  1.  Perform a test authentication from the third-party product. 
    1. The node secret (securid) file maybe stored in the C:\Windows\System32 or C:\Windows\SysWOW64 folder. If this is not where the node secret is being stored, refer to the third-party product documentation for information on where the node secret is stored. 
    2. Monitor the real-time authentication activity monitor should a failed authentication occur.
  2. Copy the node secret to C:\Program Files\Common Files\RSA Shared\Auth Data folder, which is where the RSA Authentication Agent for Windows is expecting to see the node secret.
a.  Use the Node Secret Upload utility (agent_nsload.exe) to move the node secret via command prompt.  The syntax would be:
agent_nsload -c "C:\Windows\system32\securid" "C:\Program Files\Common Files\RSA Shared\Auth Data"
Chapter 3: Installing RSA Authentication Agent (page 47) covers the usage of the Node Secret Load utility in the RSA Authentication Agent 7.2 Installation and Administration Guide.

b.  It is common that applications running on Windows 2012 to be 64-bit so copy the node secret from \SysWOW64 to \Auth Data directory where applicable with the command:
agent_nsload -c "C:\Windows\SysWOW64\securid" "C:\Program Files\Common Files\RSA Shared\Auth Data"
  1. Use the RSA Control Center of the RSA Authentication Agent for Windows to perform a test authentication and monitor the real-time authentication activity monitor should a failed authentication occur.
  2. Should there be a requirement to have UAC enabled on the Microsoft Windows 2012 server, then reverse the changes made in Step 5.

Notes

The am-extras-8.1.0.0.0.zip file (found on Download Central where RSA Authentication Manager 8.1 software is obtainable) provides agent_nsload.exe in the Node Secret Utility folder.

Also, the RSA Authentication Agent 7.2.1 for Windows software provides the Node Secret Upload utility (agent_nsload.exe) file. 
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 06:53 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.