Schannel communications fail in Web Agents 4.1, 4.2 and 5.x running on Microsoft Windows 2008 R2 or 2012 with TLS 1.2 enabled
The purpose of this article is to provide assistance when Schannel (the built-in Secure Channel API for SSL/TLS communications) fails in Web Agents running on Microsoft® Windows® 2008 R2 or 2012 when TLS 1.2 is enabled. You will see a "creating security context failed (0x80090308)" error when this happens.
Symptoms
The web agent running on Microsoft Windows 2008 R2 or 2012 fails to create a connection to an AM server that only has TLS 1.2 enabled. This issue does not occur on Microsoft Windows 2016 or 2019 servers.
The following error is shown in the agent debug log when this happens:
net_client_handshake_loop(): creating security context failed (0x80090308)
wnet_connect(): failed to connect to 192.0.2.0:8443, error: -29
SSL/TLS connection to 192.0.2.0:8443 failed (operation not completed)
unable to connect to 192.0.2.0:8443The 0x80090308 code signifies a SEC_E_INVALID_TOKEN error.
Recent Changes
N/A
Causes
The web agent cannot negotiate the acceptable cipher, which causes the connection to fail.
Solution
This issue can be resolved by applying the KB3140245 update: you can download this from: Microsoft Update Catalog: KB3140245.
See Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows for further information on this update.
See Also
FAQ: SSL/TLS secured connections in AM/OpenAM and Policy Agents
Related Training
N/A
Related Issue Tracker IDs
N/A