MFA stopped working after TLS 1.2 Cloud enforcement in SecurId Access
Originally Published: 2023-04-05
Article Number
Applies To
RSA Product/Service Type: MFA Agent for windows
RSA Version/Condition: 2.0.x and 2.1.x
Issue
Cause
- From OfflineAuthenticaton Logs:
Caught Api exception: IO.Swagger.OfflineAuthenticationClient.ApiException: Error calling RequestOfflineMetadata: The request was aborted: Could not create SSL/TLS secure channel. at IO.Swagger.OfflineAuthenticationApi.OfflineMetadataApi.RequestOfflineMetadataWithHttpInfo(OfflineMetadataRequest offlineMetadataRequest) at RSA.Authentication.Offline.Services.DayFileSvc.GetOfflineMetaData(String offlineUrl, String accessKey, String clientId, String accessPolicyId, String userName, String domain, String attemptId) error code 0
The TLS failure implies that either
a) The CAS Root CA cert is not trusted by this system, or
b) The Agent cannot negotiate a mutually acceptable cipher algorithm with CAS.
b) The Agent cannot negotiate a mutually acceptable cipher algorithm with CAS.
- Take a packet capture which will show the SSL Handshake failure.
Resolution
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
Note: Use a tool (e.g. IIS crypto) to make sure that the following ciphers are near the top if the above ciphers does not exist there is a high possibility that the windows machines are missing a critical Roll-up update (KB2919355 - April 2014). This roll-up included the additional ciphers needed for the MFA agent to function correctly with CAS
Link to download IIS Crypto: https://www.nartac.com/Products/IISCrypto/Download
More info for the KB2919355: https://support.microsoft.com/en-us/topic/update-adds-new-tls-cipher-suites-and-changes-cipher-suite-priorities-in-windows-8-1-and-windows-server-2012-r2-8e395e43-c8ef-27d8-b60c-0fc57d526d94
Related Articles
Failing to access Identity Router IDR Web resource after IDR v2.17 update Number of Views Remote AFX Server does not start, there is a SocketException in esb.AFX_INIT.log, and OpenSSL cannot complete an SSL Hands… Number of Views How to add language localization to forms in RSA Identity Governance & Lifecycle Number of Views Monitor Uptime Status for Cloud Access Service Number of Views ADFS stopped working after TLS 1.2 cloud enforcement in SecurId Access Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes for RSA Authentication Manager 8.8 RSA announces End of Life EOL dates for RSA MyAccessLive Service RSA Authentication Manager 8.9 Administrator's Guide
Don't see what you're looking for?
