ADFS stopped working after TLS 1.2 cloud enforcement in SecurId Access
Originally Published: 2021-06-13
Article Number
Applies To
| RSA Product Set: SecurID Access RSA Product/Service Type: Authentication Agent for Active Directory Federation Services (AD FS) RSA Version/Condition: 2.0 and 2.0.x |
Issue
DEBUG ConnectionHandler - DefaultExceptionFactory: Enter. Check RestSharp response for errors during Initialize ERROR ConnectionHandler - DefaultExceptionFactory: Connection failed with a non-HTTP error. status = 0 DEBUG ConnectionHandler - logRestSharpResponseDetails: StatusCode = 0 DEBUG ConnectionHandler - logRestSharpResponseDetails: StatusDescription = DEBUG ConnectionHandler - logRestSharpResponseDetails: Content = DEBUG ConnectionHandler - logRestSharpResponseDetails: ContentLength = 0 DEBUG ConnectionHandler - logRestSharpResponseDetails: ContentType = DEBUG ConnectionHandler - logRestSharpResponseDetails: ErrorMessage = The request was aborted: Could not create SSL/TLS secure channel. DEBUG ConnectionHandler - logRestSharpResponseDetails: ResponseStatus = Error DEBUG ConnectionHandler - logRestSharpResponseDetails: ResponseUri= DEBUG ConnectionHandler - logRestSharpResponseDetails: Server = DEBUG ConnectionHandler - logRestSharpResponseDetails: ErrorException = System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel. at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) at System.Net.HttpWebRequest.GetRequestStream() at RestSharp.Http.WriteRequestBody(HttpWebRequest webRequest) at RestSharp.Http.PostPutInternal(String method) at RestSharp.RestClient.Execute(IRestRequest request, String httpMethod, Func`3 getResponse) ERROR ConnectionHandler - DefaultExceptionFactory: Handling a WebException. Status = SecureChannelFailure, Response.ResponseUri = DEBUG ConnectionHandler - DefaultExceptionFactory: Ignoring exception. WebExceptionStatus = 10; message = The request was aborted: Could not create SSL/TLS secure channel. DEBUG ConnectionHandler - DefaultExceptionFactory: response.StatusCode = 0 Returning null. DEBUG ConnectionHandler - DefaultExceptionFactory: Return DEBUG ConnectionHandler - ExecuteWithRetry: Initialize returned. Server (mfaApi.GetBasePath()) = https://xxx.auth.securid.com/mfa/v1_1 AttemptResponseCode = DEBUG ConnectionHandler - ExecuteConnection: Setting rLastUsedServer = https://xxx.auth.securid.com/mfa/v1_1 ERROR MFAInitializeProcessor - callMFAInitialize: ExecuteConnection returned a null response DEBUG MFAInitializeProcessor - callMFAInitialize: Return DEBUG MFAInitializeProcessor - process: Return ERROR AuthnRequestService - Authenticate: Returning null. MFA Response is empty. ERROR AuthSessionAdapter - callInitialize: Return. Authentication response is null. DEBUG AMPresentationForm - Ctor(AuthState): Enter DEBUG AMPresentationForm - Ctor(AuthState): authState = INIT_FAILED DEBUG AMPresentationForm - Ctor(AuthState): Return INFO AuthnAdapter - TryEndAuthentication: Authentication step completed
Cause
Resolution
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
-Those Ciphers suites can be prioritized by GPO following the below MSFT KB or by putting them on the top of the Ciphers suites in any tool used to view and enable or disable protocols, ciphers suites on Windows Servers (i.e. IIS Crypto).
https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls
Notes
