This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Server certificate validation error when trying to authenticate using the RSA Authentication Agent 2.0 for AD FS

Article Number

000038388

Applies To

RSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Agent for AD FS
RSA Version/Condition:  2.0

Issue

This article explains how to overcome the following error with the RSA Authentication Agent 2.0 for AD FS when using the agent for two factor authentication.
 
Error in Server certificate validation: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

The log snipped below is from the rsa_adfs.log, located by default in C:\Program Files\RSA\RSA Authentication Agent\AD FS MFA Adapter\logs:
 
2020-01-28 16:04:23,542 [8] INFO AuthSessionAdapter - BeginAuthentication() called for User: jdoe
2020-01-28 16:04:23,745 [8] INFO AuthnAdapter - Initial state: ActivityId = 26aa8f39-916c-45d8-2600-0080000000fb, ContextID = f0b1b2df-0e11-45d4-9418-e22ccc2f9802
2020-01-28 16:04:23,745 [8] INFO AuthSessionAdapter - Initial state: ActivityId = 26aa8f39-916c-45d8-2600-0080000000fb, ContextID = f0b1b2df-0e11-45d4-9418-e22ccc2f9802, AuthState = CALL_INITIALIZE
2020-01-28 16:04:23,745 [8] INFO AuthSessionAdapter - TryEndAuthentication() called for User: jdoe
2020-01-28 16:04:23,745 [8] DEBUG AuthnRequestData - Constructing AuthnRequestData for user: jdoe
2020-01-28 16:04:23,745 [8] DEBUG AuthnRequestService - Entering AuthnRequestService::Authenticate()
2020-01-28 16:04:23,761 [8] DEBUG AuthnRequestService - Entering AuthnRequestService::processRequest()
2020-01-28 16:04:23,761 [8] INFO AuthnRequestService - Creating AuthN sessionData from Initialize response.
2020-01-28 16:04:23,761 [8] INFO AuthnRequestService - Facts are not available
2020-01-28 16:04:23,761 [8] DEBUG MFAInitializeProcessor - Entering MFAInitializeProcessor::process()
2020-01-28 16:04:23,808 [8] DEBUG Utils - Request Payload is: {
"authnAttemptTimeout": 180.0,
"clientId": "server.domain.com",
"subjectName": "jdoe",
"lang": "us_EN",
"assurancePolicyId": "",
"clientDetails": {
"hostname": "server.domain.com",
"softwareId": "4ab036b6-ee14-466f-ad8e-b7ea4b06f055",
"version": "2.0.1.27",
"component": "RSA Authentication Agent 2.0.0.0 for ADFS",
"platform": "Microsoft Windows Server 2016 Standard"
  }
  "context": {
      "messageId": "3fe0017c-3463-495b-9911-57df9da06fcc"
  }
 "keepAttempt": false
}
2020-01-28 16:04:23,823 [8] INFO ServerManager - getServerUrl(): returning server: https://server.domain.com:5555/mfa/v1_1
2020-01-28 16:04:23,995 [8] DEBUG SecuritySettings - Entering Certificate Validator
2020-01-28 16:04:23,995 [8] ERROR SecuritySettings - Error in Server certificate validation: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

2020-01-28 16:04:23,995 [8] DEBUG SecuritySettings - Leaving Certificate Validator
2020-01-28 16:04:24,011 [8] DEBUG MFAInitializeProcessor - Leaving MFAInitializeProcessor::process()
2020-01-28 16:04:24,011 [8] ERROR AuthnRequestService - MFA Response is empty. Returning Null
2020-01-28 16:04:24,011 [8] INFO AuthnAdapter - Authentication step completed.

 

Cause

The cause of this error is either:
  • The trusted root CA certificate from RSA Authentication Manager or the Cloud Authentication Service is not imported to the AD FS server, or
  • An improper certificate has been imported.

Resolution

To resolve the issue,
  1. Using article 000036639 - How to export RSA SecurID Access Authentication Manager, Identity Router, or Cloud Authentication Service Root Certificate, export the appropriate root CA certificate from RSA Authentication Manager or the Cloud Authentication Service, depending on the authentication mode you configured during installation.
  2. Import the Trusted Root Certificate in either Desktop Experience Mode or Server Core Mode:

    • Import Trusted Root Certificate in Desktop Experience Mode

    1. Sign into the AD FS server where you installed the agent.
    2. Run mmc.exe to open the Microsoft Management Console.
    3. Click File > Add/Remove Snap-In.
    4. Double-click Certificates.
    5. Select Computer Account, then click Next.
    6. Select Local Computer, then click Finish
    7. Click OK.
    8. Go to Certificates(Local Computer) > Trusted Root Certification Authorities > Certificates. 
    9. Right-click Certificates, and select All Tasks > Import
    10. Click Next.
    11. Click Browse, then select the certificate that you would like to import and click Open.
    12. Click Next.
    13. Select Place all certificates in the following store.
    14. Click Browse, then select Trusted Root Certification Authorities and click OK.
    15. Click Next.
    16. Click Finish & OK.

  • Import Trusted Root Certificate in Server Core Mode

  1. Sign into the AD FS server where you installed the agent.
  2. Open a PowerShell command prompt.
  3. Enter the following commands to import the certificate:
IMPORT-MODULE PKI
SET-LOCATION CERT: Get-ChildItem –Path <C:\CertDirectory\mycert.cer> | Import-Certificate – CertStoreLocation cert:\LocalMachine\Root

where, <C:\CertDirectory\mycert.cer> is the full file path of the certificate.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 12:09 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.