MFA Agent Test Authentication fails with error ServerConnectionFailed

3 years ago

Article Number

000067894

Applies To

RSA Product Set: SecurID Access
RSA Product/Service Type: MFA Agent for Microsoft Windows

Issue

When testing online authentication after configuring MFA agent on Windows server the below Error received

unsuccessful to connect to a server

Cause

From the Service logs the below error appears:

Caught Api exception: IO.Swagger.OfflineAuthenticationClient.ApiException: Error calling RequestOfflineMetadata: The request was aborted: Could not create SSL/TLS secure channel.
   at IO.Swagger.OfflineAuthenticationApi.OfflineMetadataApi.RequestOfflineMetadataWithHttpInfo(OfflineMetadataRequest offlineMetadataRequest)
   at RSA.Authentication.Offline.Services.DayFileSvc.GetOfflineMetaData(String offlineUrl, String accessKey, String clientId, String accessPolicyId, String userName, String domain, String attemptId) error code 0

The TLS failure implies that either
1) the CAS Root CA cert is not trusted by this system, or
2) the Agent cannot negotiate a mutually acceptable cipher algorithm with CAS.

From Wireshark capture logs there is a TLS Handshake failure due to cipher issues

Resolution

Make sure that the following ciphers are near the top:

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)

Notes

Things to check:

Open MMC > Certificates > Computer and verify that the CAS root CA (Entrust Root Certification Authority - G2) is listed in the Trusted Root Certificate Authority store

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles