Look at the ACLs on the target agent in /usr/lib/rsc or c:\windows\rsc - and the rscd.log on the target. it's likely that you don't have any BladeLogic credentials so nsh on the client side is sending over your OS username and the acls on the agent don't have any entries for that user name.
you can do a couple things:
1 - launch nsh via the 'nsh here' from the CM GUI
2 - setup a NSH Proxy on the appserver and config the nsh client to use it
3 - on the target agent remove the 'nouser' line in the users file and in the exports file put the line '* rw,user=<root|Administrator>'. (whatever the admin account is)