This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

MFA stopped working after TLS 1.2 Cloud enforcement in SecurId Access

Article Number

000068150

Applies To

RSA Product Set: SecurID Access
RSA Product/Service Type:  MFA Agent for windows
RSA Version/Condition: 2.0.x and 2.1.x

Issue

Online authentication is not working after TLS 1.2 Cloud enforcement is SecurID Access

Cause

Handshake between the Windows Servers and the Cloud fails since the client  (Windows Server) negotiates in the Client Hello Cipher Suites different from the Cloud preferred Cipher Suites.
  •  From OfflineAuthenticaton Logs:
Caught Api exception: IO.Swagger.OfflineAuthenticationClient.ApiException: Error calling RequestOfflineMetadata: The request was aborted: Could not create SSL/TLS secure channel.
   at IO.Swagger.OfflineAuthenticationApi.OfflineMetadataApi.RequestOfflineMetadataWithHttpInfo(OfflineMetadataRequest offlineMetadataRequest)
   at RSA.Authentication.Offline.Services.DayFileSvc.GetOfflineMetaData(String offlineUrl, String accessKey, String clientId, String accessPolicyId, String userName, String domain, String attemptId) error code 0
The TLS failure implies that either
 
a) The CAS Root CA cert is not trusted by this system, or
b) The Agent cannot negotiate a mutually acceptable cipher algorithm with CAS.
 
  • Take a packet capture which will show the SSL Handshake failure.

Resolution

Prioritize the below Cloud preferred Ciphers Suites (one or more ) on all the Windows machines where the MFA Agent is installed and reboot them.

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)


Note: Use a tool (e.g. IIS crypto) to make sure that the following ciphers are near the top if the above ciphers does not exist there is a high possibility that the windows machines are missing a critical Roll-up update (KB2919355 - April 2014). This roll-up included the additional ciphers needed for the MFA agent to function correctly with CAS

Link to download IIS Crypto: https://www.nartac.com/Products/IISCrypto/Download
More info for the KB2919355: https://support.microsoft.com/en-us/topic/update-adds-new-tls-cipher-suites-and-changes-cipher-suite-priorities-in-windows-8-1-and-windows-server-2012-r2-8e395e43-c8ef-27d8-b60c-0fc57d526d94
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2023-04-05 09:14 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.