Walk-through for RSA SecurID Authentication for TMG 2010 Part 2: TMG Array Members Preparation


Disclaimer: Many of the steps outlining the configuration of the RSA Authentication Manager v 7.1 software are not directly supported by Microsoft. They should be used as a guideline to help familiarize and guide you in this configuration. For additional assistance in directly configuring the RSA Authentication Manager Software, please review your RSA SecurID documentation.

System Policy Rule and Registry Values

• Enable the SecurID System policy rule on each ISA Array Member


• Add the following String Value registry entry on each TMG Array Member (and then restart the Firewall service):



Where the string value of PrimaryInterfaceIP is the IP address assigned to the interface that communicates with the RSA Server.

Create Node Secret on each TMG array member

The “node secret” is a shared secret between the RSA Authentication Manager and each Authentication Agent (i.e. TMG array members). A distinct node secret is required for each Authentication Agent. A node secret for each Authentication Agent can be manually generated on the RSA Authentication Manager…or it can be automatically created during the first successful authentication from the Authentication Agent.

1. If you manually created the node secret on the RSA Server and then copied NODESECRET.REC (and AGENT_NSLOAD.EXE) to the respective TMG Array member <s>…


        Manually create the node secret

• On each TMG server, run the following from a command prompt:

AGENT_NSLOAD.EXE –f NODESECRET.REC –p <node secret password>

This creates the Node Secret file (SECURID) in the <windir>\system32 folder.

On a default install of RSA Authentication Manager 7.1, AGENT_NSLOAD.EXE can be found in the following folder:

…\RSA Security\RSA\Authentication Manager\utils\bin\ace-nsload\win32-5.0-x86

IMPORTANT NOTE: see the following blog describing an issue when running the 32-bit version of AGENT_NSLOAD.EXE on 64-bit Windows:

Manually creating the SecurID Node Secret fails on Forefront TMG


• Copy SECURID from …\system32 to …\Microsoft TMG Server\sdconfig.

The AGENT_NSLOAD.EXE creates the node secret file (SECURID) in the <windir>\system32 folder as most Authentication Agents expect the file to be located there. Additionally, the SDTEST.EXE utility also creates, and expects to find, the node secret file in <windir>\system32. However, TMG has a unique folder location for this file. That is …\Microsoft TMG Server\sdconfig. This also holds true for the Configuration File (SDCONF.REC) discussed in Part 1 of this series. This is why it is useful to maintain both the node secret and the configuration file in both of these locations.

SDTEST.EXE uses node secret and config file in <windir>\system32

TMG 2010 uses node secret and config file in …\Microsoft TMG Server\sdconfig


2. If you did not previously create the Node Secrets on the RSA Server, you can manually create the Node Secrets on each TMG Array member by using the SDTEST.EXE utility. This method assumes that there is currently no node secret file (SECURID) located in <windir>\system32…and you DO have a valid Configuration File (SDCONF.REC) located in <windir>\system32.

• On each TMG Server, run the SDTEST.EXE utility. This utility allows you test user authentication from an Authentication Agent to the RSA Authentication Manager Server. Upon a successful user authentication, the Node Secret file (SECURID) will be created in the <windir>\system32 folder.


     SDTEST RSA SecurID authentication utility

• Copy SECURID from <windir>\system32 to …\Microsoft ISA Server\sdconfig


Additional Notes on using the SDTEST.EXE utility…

• The SDTEST Authentication Utility is used to verify that a computer running TMG Server can successfully authenticate, using valid credentials, to the RSA Authentication Manager. Again, note that SDTEST.EXE requires the SDCONF.REC configuration file to be located in the <win32>\system32 folder to run and test authentication successfully.

• You may need to run SDTEST.EXE as Administrator if your logged in account does not have the proper permissions to write SECURID to the system32 folder.

• If this is the first time authenticating to the RSA server with this user, you may be prompted to create a PIN. If so, enter a new PIN number. When a new PIN is created, the RSA authentication Passcode for this user will now be:

<PIN><passcode displayed on the token>

• The SDTEST.EXE tool (RSA Test Authentication Utility) is available in the TMG 2010 Tools & Software Development Kit available here:


On the above page, download SdTestPack.exe which contains the utility.



Richard Barker - Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team