Users are unable to authenticate with the RSA MFA Agent for Windows configured with the Authentication Manager.

Testing authentication with the "RSA MFA Agent Test Authentication" utility fails and results in an "Unsuccessful connection to RSA" or "Unsuccessful connection to SecurID Access" message.

The "RsaMfaAgentTestAuthentication(RSA_MFA_Agent_Test_Authentication).log" file includes the following error message:
 

[E] [RSA.Authentication.Connection.ConnectionHandler.ServerCertificateValidator] Error in Server certificate validation: Certificate Name Mismatch

but the hostname in the Authentication Manager (AM) server certificate used for the communication between the AM server and MFA Agent matches the hostname of the AM server, hence the certificate name does not actually mismatch.


 

It was found that there was an IP address included as a Subject Alternative Name (SAN) in the Authentication Manager server's Console Certificate and that this was causing the issue.

Replace the Authentication Manager Console Certificate with a server certificate that does not include an IP address as a Subject Alternative Name.

Replacing the Authentication Manager (AM) Console Certificate also changes the certificates that AM uses on port 5555 TCP, which is the port that REST-based agents, such as the MFA Agent for Windows, use when communicating with AM.