none
RSA issue in UAG RRS feed

  • Question

  • Hello All,

    We are getting error 'Authentication' failed' in UAG if we try to authenticate against RSA 7.0 . On backend we can see 'node verification' error on RSA.

    What we have done so far is,

    1) Copied sdconfig.rec , nodeconfig.rec in System32 and SysWOW64 folder on UAG.

    2) Created the file called 'secureid' by using agent_load.exe and put it in TMG under C:\Program files\Microsoft Forefront Threat Management Gateway\sdconfig\ and also copied in C:\windows\sysWOW64

    3) Changed registry entry HKEY LOCAL MACHINE\SOFTWARE\SDTI\ACECLIENT\PrimaryInterfaceIP\<IP of Internal Interface>:

    4) Checked from RSA security centre installed on UAG and we get authentication succcesful.

    But, it does not work from the portal. We get Authentication failed error on the portal. We can see 'nodeverification failed' error on backend RSA server. We generatd nodesecret file twice but no help.

     Is there any else I should do. PLease suggest.

    Rgds

    Ashu

     

    Monday, March 14, 2011 7:57 PM

Answers

  • We had to delete the 'secureid' file out of windows\system32 this will get recreated when the first authentication takes place, I believe this is the node secret.

     

    • Marked as answer by Erez Benari Thursday, May 5, 2011 4:50 PM
    Tuesday, March 29, 2011 10:52 AM

All replies

  • We had a few random issues like that setting up RSA 7.1.

    This is how we did it:

    Removed the RSA Authetication Server from UAG.

    Remove all files associated with the node config and node secret: sdconfig.rec sdconfig.rec these may be hidden and should be in the C:\Windows\System32 folder not the sysWOW folder. Get rid of them where ever they are.

    Restart the UAG server.

    Remove the agent on the RSA Box.

    Add the agent on the RSA box.

    Generate the node configuation file (sdconfig.rec). Copy it to the C:\Windows\System32 folder.

    Add the RSA box as an authenication server in UAG (this re-opens the securID ports in TMG). You will get an error creating it, just ignore it. Be sure to add the RSA as an authentication type to an app or portal otherwise TMG won't open the ports.

    Download the TMG SDK tool SDTestPack.exe

    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8809CFDA-2EE1-4E67-B993-6F9A20E08607 

    Install it on the UAG box.

    Open the RSA Realtime Auth Logging and run the sdtest tool with your test user on UAG.

    You should see the node secrect request happen. The auth may fail the first time, but as long as the secrect gets negoiated properly i should work the next time you try.

    Now try it throught the portal.

    JT

     

     

     

     

    Monday, March 14, 2011 11:02 PM
  • we are having the same issue here.  tried the steps from JT_DPS. still can't authenticate from the portal.  works fine using the RSA Security Center.

    Any other suggestions are greatly appreciated.

    we are runing UAG w/sp1, RSA Agent 7.0.2, RSA server 7.1.   

    The authentication used to works with RSA server 6.0.2.


    Update: rebooting the server fixed my issue.
    Tuesday, March 22, 2011 4:21 PM
  • try unchecking node secret from from RSA server and also on clear node secret on RSA agent and then test the auth from RSA tool
    Wednesday, March 23, 2011 3:39 PM
  • We had to delete the 'secureid' file out of windows\system32 this will get recreated when the first authentication takes place, I believe this is the node secret.

     

    • Marked as answer by Erez Benari Thursday, May 5, 2011 4:50 PM
    Tuesday, March 29, 2011 10:52 AM
  • I had the same issue getting RSA to work on a new UAG SP1 appliance.  I had used the sdtest utility and authentication was testing fine but I hadn't deleted the secureid file from system32.  I deleted it, re-ran the test util and now works a treat.  Thanks for the info.
    Thursday, July 7, 2011 8:56 AM
  • I am having this same issue.  I had our guy who admins the RSA server uncheck the node secret box and then I ran the sdtest util and it passed.  I cant get anything from there.  The sdtest util will fail after the first try and the UAG login wont work either.  One thing I noticed is that the node secret check box returns on the RSA server after running the first successful test.  Anyone have any ideas? 
    Friday, August 12, 2011 11:39 PM