This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

ADFS stopped working after TLS 1.2 cloud enforcement in SecurId Access

Article Number

000039736

Applies To

RSA Product Set: SecurID Access
RSA Product/Service Type: Authentication Agent for Active Directory Federation Services (AD FS) 
RSA Version/Condition: 2.0 and 2.0.x
 

Issue

After the TLS 1.2 Cloud enforcement, the ADFS authentication is broken showing the below error in rsa_adfs.log (verbose logging) :
  

 DEBUG ConnectionHandler - DefaultExceptionFactory: Enter. Check RestSharp response for errors during Initialize
 ERROR ConnectionHandler - DefaultExceptionFactory: Connection failed with a non-HTTP error. status = 0
 DEBUG ConnectionHandler - logRestSharpResponseDetails: StatusCode = 0
 DEBUG ConnectionHandler - logRestSharpResponseDetails: StatusDescription =
 DEBUG ConnectionHandler - logRestSharpResponseDetails: Content =
  DEBUG ConnectionHandler - logRestSharpResponseDetails: ContentLength = 0
 DEBUG ConnectionHandler - logRestSharpResponseDetails: ContentType =
 DEBUG ConnectionHandler - logRestSharpResponseDetails: ErrorMessage = The request was aborted: Could not create SSL/TLS secure channel.
 DEBUG ConnectionHandler - logRestSharpResponseDetails: ResponseStatus = Error
 DEBUG ConnectionHandler - logRestSharpResponseDetails: ResponseUri=
 DEBUG ConnectionHandler - logRestSharpResponseDetails: Server =
 DEBUG ConnectionHandler - logRestSharpResponseDetails: ErrorException = System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
at System.Net.HttpWebRequest.GetRequestStream()
at RestSharp.Http.WriteRequestBody(HttpWebRequest webRequest)
at RestSharp.Http.PostPutInternal(String method)
at RestSharp.RestClient.Execute(IRestRequest request, String httpMethod, Func`3 getResponse)
 ERROR ConnectionHandler - DefaultExceptionFactory: Handling a WebException. Status = SecureChannelFailure, Response.ResponseUri =
 DEBUG ConnectionHandler - DefaultExceptionFactory: Ignoring exception. WebExceptionStatus = 10; message = The request was aborted: Could not create SSL/TLS secure channel.
 DEBUG ConnectionHandler - DefaultExceptionFactory: response.StatusCode = 0 Returning null.
 DEBUG ConnectionHandler - DefaultExceptionFactory: Return
 DEBUG ConnectionHandler - ExecuteWithRetry: Initialize returned. Server (mfaApi.GetBasePath()) = https://xxx.auth.securid.com/mfa/v1_1 AttemptResponseCode =
 DEBUG ConnectionHandler - ExecuteConnection: Setting rLastUsedServer = https://xxx.auth.securid.com/mfa/v1_1
 ERROR MFAInitializeProcessor - callMFAInitialize: ExecuteConnection returned a null response
 DEBUG MFAInitializeProcessor - callMFAInitialize: Return
 DEBUG MFAInitializeProcessor - process: Return
 ERROR AuthnRequestService - Authenticate: Returning null. MFA Response is empty.
 ERROR AuthSessionAdapter - callInitialize: Return. Authentication response is null.
 DEBUG AMPresentationForm - Ctor(AuthState): Enter
 DEBUG AMPresentationForm - Ctor(AuthState): authState = INIT_FAILED
 DEBUG AMPresentationForm - Ctor(AuthState): Return
 INFO AuthnAdapter - TryEndAuthentication: Authentication step completed







 

Cause

Handshake between the windows servers and the Cloud fails since the client  (windows server) negotiates in the Client hello cipher suites different from the Cloud preferred cipher suites.

Image descriptionImage description


 

Resolution

-Prioritize the below Cloud preferred ciphers suites ( one or more ) on all the windows machines Where the ADFS/MFA agent is installed and reboot them.

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

-Those Ciphers suites can be prioritized by GPO following the below MSFT KB or by putting them on the top of the Ciphers suites in any tool used to view and enable or disable protocols, ciphers suites on Windows Servers (i.e. IIS Crypto). 

https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls

Notes

-The same issue can break the MFA Agent for Microsoft Windows authentication as well.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-06-14 11:19 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.