MFA stopped working after TLS 1.2 Cloud enforcement in SecurId Access
Originally Published: 2023-04-05
Article Number
Applies To
RSA Product/Service Type: MFA Agent for windows
RSA Version/Condition: 2.0.x and 2.1.x
Issue
Cause
- From OfflineAuthenticaton Logs:
Caught Api exception: IO.Swagger.OfflineAuthenticationClient.ApiException: Error calling RequestOfflineMetadata: The request was aborted: Could not create SSL/TLS secure channel. at IO.Swagger.OfflineAuthenticationApi.OfflineMetadataApi.RequestOfflineMetadataWithHttpInfo(OfflineMetadataRequest offlineMetadataRequest) at RSA.Authentication.Offline.Services.DayFileSvc.GetOfflineMetaData(String offlineUrl, String accessKey, String clientId, String accessPolicyId, String userName, String domain, String attemptId) error code 0
The TLS failure implies that either
a) The CAS Root CA cert is not trusted by this system, or
b) The Agent cannot negotiate a mutually acceptable cipher algorithm with CAS.
b) The Agent cannot negotiate a mutually acceptable cipher algorithm with CAS.
- Take a packet capture which will show the SSL Handshake failure.
Resolution
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
Note: Use a tool (e.g. IIS crypto) to make sure that the following ciphers are near the top if the above ciphers does not exist there is a high possibility that the windows machines are missing a critical Roll-up update (KB2919355 - April 2014). This roll-up included the additional ciphers needed for the MFA agent to function correctly with CAS
Link to download IIS Crypto: https://www.nartac.com/Products/IISCrypto/Download
More info for the KB2919355: https://support.microsoft.com/en-us/topic/update-adds-new-tls-cipher-suites-and-changes-cipher-suite-priorities-in-windows-8-1-and-windows-server-2012-r2-8e395e43-c8ef-27d8-b60c-0fc57d526d94
Related Articles
Remote AFX Server does not start, there is a SocketException in esb.AFX_INIT.log, and OpenSSL cannot complete an SSL Hands… Number of Views Failing to access Identity Router IDR Web resource after IDR v2.17 update Number of Views Monitor Uptime Status for Cloud Access Service Number of Views RSA Authentication Manager CVE-2016-0800 "DROWN" Vulnerability - False Positive Number of Views How to add language localization to forms in RSA Identity Governance & Lifecycle Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Governance & Lifecycle 8.0.0 Administrators Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory
Don't see what you're looking for?
