Configuring a SecurID server

RSA SecurID is based on technology from RSA Security Inc. Microsoft Forefront Threat Management Gateway can use SecurID as follows:

  • Authenticate clients for remote virtual private network access
  • Authenticate clients for access to internal corporate Web servers published through Forefront TMG by using Web publishing

SecurID requires clients to provide the following information to gain access to protected resources:

  • Personal identification number (PIN)
  • Physical token that produces a time-limited one-time password

Neither the PIN nor the token-generated one-time password grant access in isolation from each other. Both are required. Setting up a SecurID authentication server for Forefront TMG consists of the following steps:

  1. After installing RSA Authentication Manager in accordance with the RSA documentation, configure an agent host record in order to configure the RSA Authentication Manager to accept connections from Forefront TMG for user authentication.
  2. Verify permissions and network adapter settings.
  3. Verify the connection to the RSA Authentication Manager.
  4. Configure SecurID properties.
To create an agent host record
  1. On the computer running RSA Authentication Manager, click Start, and then click RSA Authentication Manager Host Mode.

  2. On the Agent Host menu, click Add Agent Host.

  3. In the Name box, type the name of the computer running Forefront TMG. The name must resolve to an IP address on the local RSA Authentication Manager network.

  4. If required, in the Network address box, type the IP address of the computer running Forefront TMG.

  5. In the Agent type list, click Net OS Agent.

  6. If you want all users to be able to authenticate, select Open to All Locally Known Users.

  7. In Agent Host, click Generate Configuration Files. Click One Agent Host, click OK, double-click the name of the computer running Forefront TMG, and then save the Sdconf.rec file to the %windir%\system32 folder on the computer running Forefront TMG.

By default, the Sdconf.rec file is located in the ACE\Data folder on the RSA Authentication Manager computer.

To verify permissions and adapter settings
  1. On the computer running Forefront TMG, check that the local Network Service account has read/write access for the following registry key:HKLM\Software\SDTI\ACECLIENTThis ensures that Forefront TMG is able to write the secret to the registry.

  2. On the computer running Forefront TMG, configure the Network Service account with read permissions for the Sdconfig.rec file.

  3. If the computer running Forefront TMG is configured with multiple network adapters, you should explicitly configure the network adapter address through which Forefront TMG connects to the RSA Authentication Manager for authentication. To do this, specify the IP address as a string value in the following registry key:HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\AceClient\PrimaryInterfaceIPThe value specified must match that set in the agent host record.

You can test SecurID authentication using the RSA Test Authentication Utility. For more information about the tool, see RSA Test Authe n tication Utility for Internet Security and Acceleration (ISA) Server 2006. This tool checks connectivity between the computer running Forefront TMG and the server running RSA Authentication Manager. The tool can also obtain the secret required for encrypting communications between the servers.