Configuring SecurID authentication on RSA Authentication Manager

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

RSA SecurID is based on technology from RSA Security Inc.

Forefront TMG can use SecurID to authenticate clients for access to remote virtual private networks (VPNs), and internal corporate Web servers published through Forefront TMG. To gain access to protected resources, SecurID requires clients to provide their Personal identification number (PIN), and a physical token that produces a time-limited one-time password. Note that both the PIN and the token-generated one-time password are required in order to gain access.

Setting up a SecurID authentication server for Forefront TMG consists of the following steps:

  1. After installing RSA Authentication Manager in accordance with the RSA documentation, create an agent host record to configure the RSA Authentication Manager to accept connections from Forefront TMG for user authentication.

  2. Verify permissions and network adapter settings.

  3. Verify the connection to the RSA Authentication Manager.

  4. Configure SecurID properties.

The following procedures describe how to:

  • Create an agent host record.

  • Verify permissions and adapter settings.

  • Verify the connection.

To create an agent host record

  1. On the computer running RSA Authentication Manager, click Start, and then click RSA Authentication Manager Host Mode.

  2. On the Agent Host menu, click Add Agent Host.

  3. In the Name box, type the name of the computer running Forefront TMG. The name must resolve to an IP address on the local RSA Authentication Manager network.

  4. If required, in the Network address box, type the IP address of the computer running Forefront TMG.

  5. In the Agent type list, click Net OS Agent.

  6. If you want all users to be able to authenticate, select Open to All Locally Known Users.

  7. In Agent Host, click Generate Configuration Files. Click One Agent Host, click OK, double-click the name of the computer running Forefront TMG, and then save the Sdconf.rec file to the %windir%\system32 folder on the computer running Forefront TMG.

    Note

    By default, the Sdconf.rec file is located in the ACE\Data folder on the RSA Authentication Manager computer.

To verify permissions and adapter settings

  1. On the computer running Forefront TMG, check that the local Network Service account has read/write access for the following registry key:
    HKLM\Software\SDTI\ACECLIENT
    This ensures that Forefront TMG is able to write the secret to the registry.

  2. On the computer running Forefront TMG, configure the Network Service account with read permissions for the Sdconfig.rec file.

  3. If the computer running Forefront TMG is configured with multiple network adapters, you should explicitly configure the network adapter address through which Forefront TMG connects to the RSA Authentication Manager for authentication. To do this, specify the IP address as a string value in the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\AceClient\PrimaryInterfaceIP
    The value specified must match that set in the agent host record.

Verifying the connection

You can test SecurID authentication using the RSA Test Authentication Utility. For more information about the tool, see Microsoft® Forefront Threat Management Gateway (TMG) 2010 Tools & Software Development Kit (https://go.microsoft.com/fwlink/?LinkId=196465). This tool checks connectivity between the computer running Forefront TMG and the server running RSA Authentication Manager. The tool can also obtain the secret required for encrypting communications between the servers.