Walk-through for RSA SecurID Authentication for ISA Server 2006 Part 1: RSA Authentication Manager Server Configuration

Note: Many of the steps outlining the configuration of the RSA Authentication Manager software are not directly supported by Microsoft. They should be used as a guideline to help familiarize and guide you in this configuration. For additional assistance in directly configuring the RSA Authentication Manager Software, please review your RSA SecurID documentation.

• Creating Users and Agent Hosts

• Import Tokens from Seeds files

The seed can be an *.asc or *.xml file and is typically supplied with the token<s>. The seed is the tokens’ factory encoded random key. Each token has a unique key (seed). The seed file is imported into the associated RSA Authentication Manager server.

• Add users and assign a Token to each user

User accounts information is added to the RSA Authentication Manager. These accounts can be AD accounts or manually created. Each account created is assigned a Token.

• Synchronize the Token

Each Token has a built-in clock that must be in sync with the RSA Authentication Managers’ clock. If the Tokens’ clock is out of sync, authentication will fail. It is typically a good idea to synchronize the Token after assigning it to a user.

• Create Agent Hosts

Agent Hosts are servers or devices that directly authenticate against the RSA Authentication Manager. In this case, the Agent Host is the ISA server <s>. You should create a unique Agent Host for each ISA server in the array.

• Use the resolvable FQDN for the Agent Host

When creating the Agent Host entry, make sure to use the Fully Qualified Domain Name of the ISA server. Also make sure that the RSA Authentication Manager server can correctly resolve this FQDN to the correct internal IP address of the ISA server <s>.

• Select “Net OS Agent” as the Agent Type


• For each Agent Host, activate each user

For any Agent Host to successfully authenticate a user, that users account must be Activated on that Agent Host. Therefore, if you have three ISA servers in your array (i.e. three Agent Hosts created), you should Activate each potential user on all three Agent Hosts.


• Create Configuration Files and Node Secrets

• Create SDCONF.REC file for each Agent Host (each ISA Array Member)

The SDCONF.REC can be generated separately for each Agent Host. Or a single SDCONF.REC can be generated for all Agent Hosts. The SDCONF.REC contains RSA Authentication Manager configuration information. This includes ports, processes, etc., essential to the authentication service.

• Copy each SDCONF.REC file from the RSA Authentication Manager to its matching Agent Host computer (i.e. ISA Array Member). Copy to …\system32 and ..\Microsoft ISA Server\sdconfig.

• Create the Node Secrets. The Node Secret is used to authenticate the Agent Host machine with the RSA Authentication Manager server. You need to create a separate Node Secret for each Agent Host. (Note: There are two separate options available)

1. On the RSA Authentication Manager Server

• Manually create a node secret for each Agent Host. Manually creating a Node Secret on the RSA server creates a file call NODESECRET.REC.

• Copy each NODESECRET.REC to the matching Agent Host machine (i.e. ISA Server) (Note: location you copy to is not important)

• Copy AGENT_NSLOAD.EXE from the RSA Server to each ISA Array Member (Note: location you copy to is not important)

2. On the ISA Array Members

• Automatically create Node Secrets using SDTEST.EXE on the ISA Array Members (details to follow)

Richard Barker

Security Support Engineer