This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Node secret issues in ​Microsoft Forefront Threat Management Gateway (TMG) 2010/Unified Access Gateway (UAG) and RSA Authentication Agent 7.1 or higher

Article Number

000035798

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.x
Platform: Microsoft Forefront Threat Management Gateway (TMG) 2010
Platform (Other): Windows Server 2008

 

Issue

  • Microsoft Forefront Threat Management Gateway (TMG) 2010 can only create node secrets in the old format.
  • RSA Authentication Agent for Windows 7 and higher can only create node secrets in the new format.
  • RSA Authentication Agent for Windows 7.0.x can read old node secrets, but RSA Authentication Agent 7.1 and up cannot.

If you use RSA Security Center agent 7.0.2 (or above) for Windows Server 2008 to create a node secret, Microsoft TMG will not be able to use it.  It makes a stronger encrypted version of the node secret, but the TMG can only use a legacy node secret.

The fix is to have Microsoft TMG create the node secret first, and then edit the registry and change the path to the AuthData directory to point to the directory in which Microsoft TMG created it's node secret.

RSA Authentication Agent 7.0.2 can use an older legacy node secret.  However, the agents running 7.1 and above cannot use this workaround as it will not work.

Resolution

Perform the steps below to resolve the issue.
  1. Clear all node secrets.
  2. Perform a test login with sdtest provided by Microsoft TMG to create the legacy version node secret.
  3. Prove TMG logins now work using the new node secret.
  4. Run agent_nsload with the conversion option to upgrade the node secret where newdir is a directory you create just as a location to receive a converted node secret. 
    
agent_nsload -c <source file> <output directory>
     
    For example, 
    
agent_nsload -c c:\windows\system32\securid c:\newdir\
     
  5. Now copy or move the new converted node secret to the \AuthData directory for the RSA Authentication Agent.  Typically this will be C:\Program Files\Common Files\RSA Shared\Auth Data.
  6. TMG will now use the old node secret format in windows\system32 or <tmg home>\sdconfig and the RSA authentication agent will use the same node secret, but in the new format, in AuthData.

If you are unsure of any of the steps above or experience any issues, contact RSA Customer Support and quote this article number for further assistance.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-04-23 01:39 PM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.