MFA Agent Test Authentication fails with error ServerConnectionFailed
3 years ago
Article Number
000067894
Applies To
RSA Product Set: SecurID Access
RSA Product/Service Type: MFA Agent for Microsoft Windows
Issue
When testing online authentication after configuring MFA agent on Windows server the below Error received 
unsuccessful to connect to a server

 
Cause
From the Service logs the below error appears: 
Caught Api exception: IO.Swagger.OfflineAuthenticationClient.ApiException: Error calling RequestOfflineMetadata: The request was aborted: Could not create SSL/TLS secure channel.
   at IO.Swagger.OfflineAuthenticationApi.OfflineMetadataApi.RequestOfflineMetadataWithHttpInfo(OfflineMetadataRequest offlineMetadataRequest)
   at RSA.Authentication.Offline.Services.DayFileSvc.GetOfflineMetaData(String offlineUrl, String accessKey, String clientId, String accessPolicyId, String userName, String domain, String attemptId) error code 0

The TLS failure implies that either
1) the CAS Root CA cert is not trusted by this system, or
2) the Agent cannot negotiate a mutually acceptable cipher algorithm with CAS.

From Wireshark capture logs there is a TLS Handshake failure due to cipher issues
image.png

 
Resolution
Make sure that the following ciphers are near the top:

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
Notes
Things to check:
  • Open MMC > Certificates > Computer and verify that the CAS root CA (Entrust Root Certification Authority - G2) is listed in the Trusted Root Certificate Authority store

Related Articles

Trending Articles

Don't see what you're looking for?