000038388 - Server certificate validation error when trying to authenticate using the RSA Authentication Agent 2.0 for AD FS

Document created by RSA Customer Support Employee on Jan 29, 2020Last modified by RSA Customer Support Employee on Jan 29, 2020
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000038388
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Agent for AD FS
RSA Version/Condition:  2.0
IssueThis article explains how to overcome the following error with the RSA Authentication Agent 2.0 for AD FS when using the agent for two factor authentication.
 
Error in Server certificate validation: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.


The log snipped below is from the rsa_adfs.log, located by default in C:\Program Files\RSA\RSA Authentication Agent\AD FS MFA Adapter\logs:
 
2020-01-28 16:04:23,542 [8] INFO AuthSessionAdapter - BeginAuthentication() called for User: jdoe
2020-01-28 16:04:23,745 [8] INFO AuthnAdapter - Initial state: ActivityId = 26aa8f39-916c-45d8-2600-0080000000fb, ContextID = f0b1b2df-0e11-45d4-9418-e22ccc2f9802
2020-01-28 16:04:23,745 [8] INFO AuthSessionAdapter - Initial state: ActivityId = 26aa8f39-916c-45d8-2600-0080000000fb, ContextID = f0b1b2df-0e11-45d4-9418-e22ccc2f9802, AuthState = CALL_INITIALIZE
2020-01-28 16:04:23,745 [8] INFO AuthSessionAdapter - TryEndAuthentication() called for User: jdoe
2020-01-28 16:04:23,745 [8] DEBUG AuthnRequestData - Constructing AuthnRequestData for user: jdoe
2020-01-28 16:04:23,745 [8] DEBUG AuthnRequestService - Entering AuthnRequestService::Authenticate()
2020-01-28 16:04:23,761 [8] DEBUG AuthnRequestService - Entering AuthnRequestService::processRequest()
2020-01-28 16:04:23,761 [8] INFO AuthnRequestService - Creating AuthN sessionData from Initialize response.
2020-01-28 16:04:23,761 [8] INFO AuthnRequestService - Facts are not available
2020-01-28 16:04:23,761 [8] DEBUG MFAInitializeProcessor - Entering MFAInitializeProcessor::process()
2020-01-28 16:04:23,808 [8] DEBUG Utils - Request Payload is: {


"authnAttemptTimeout": 180.0,
"clientId": "server.domain.com",
"subjectName": "jdoe",
"lang": "us_EN",
"assurancePolicyId": "",
"clientDetails": {


"hostname": "server.domain.com",
"softwareId": "4ab036b6-ee14-466f-ad8e-b7ea4b06f055",
"version": "2.0.1.27",
"component": "RSA Authentication Agent 2.0.0.0 for ADFS",
"platform": "Microsoft Windows Server 2016 Standard"


  }
  "context": {
      "messageId": "3fe0017c-3463-495b-9911-57df9da06fcc"
  }
 "keepAttempt": false
}
2020-01-28 16:04:23,823 [8] INFO ServerManager - getServerUrl(): returning server: https://server.domain.com:5555/mfa/v1_1
2020-01-28 16:04:23,995 [8] DEBUG SecuritySettings - Entering Certificate Validator
2020-01-28 16:04:23,995 [8] ERROR SecuritySettings - Error in Server certificate validation: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

2020-01-28 16:04:23,995 [8] DEBUG SecuritySettings - Leaving Certificate Validator
2020-01-28 16:04:24,011 [8] DEBUG MFAInitializeProcessor - Leaving MFAInitializeProcessor::process()
2020-01-28 16:04:24,011 [8] ERROR AuthnRequestService - MFA Response is empty. Returning Null
2020-01-28 16:04:24,011 [8] INFO AuthnAdapter - Authentication step completed.


 
CauseThe cause of this error is either:
  • The trusted root CA certificate from RSA Authentication Manager or the Cloud Authentication Service is not imported to the AD FS server, or
  • An improper certificate has been imported.
ResolutionTo resolve the issue,
  1. Using article 000036639 - How to export RSA SecurID Access Authentication Manager, Identity Router, or Cloud Authentication Service Root Certificate, export the appropriate root CA certificate from RSA Authentication Manager or the Cloud Authentication Service, depending on the authentication mode you configured during installation.
  2. Import the Trusted Root Certificate in either Desktop Experience Mode or Server Core Mode:

    •  

      Import Trusted Root Certificate in Desktop Experience Mode


       

    1. Sign into the AD FS server where you installed the agent.
    2. Run mmc.exe to open the Microsoft Management Console.
    3. Click File > Add/Remove Snap-In.
    4. Double-click Certificates.
    5. Select Computer Account, then click Next.
    6. Select Local Computer, then click Finish
    7. Click OK.
    8. Go to Certificates(Local Computer) > Trusted Root Certification Authorities > Certificates. 
    9. Right-click Certificates, and select All Tasks > Import
    10. Click Next.
    11. Click Browse, then select the certificate that you would like to import and click Open.
    12. Click Next.
    13. Select Place all certificates in the following store.
    14. Click Browse, then select Trusted Root Certification Authorities and click OK.
    15. Click Next.
    16. Click Finish & OK.


  • Import Trusted Root Certificate in Server Core Mode



  1. Sign into the AD FS server where you installed the agent.
  2. Open a PowerShell command prompt.
  3. Enter the following commands to import the certificate:

IMPORT-MODULE PKI
SET-LOCATION CERT: Get-ChildItem –Path <C:\CertDirectory\mycert.cer> | Import-Certificate – CertStoreLocation cert:\LocalMachine\Root



where, <C:\CertDirectory\mycert.cer> is the full file path of the certificate.

Attachments

    Outcomes