Solutions

Schannel communications fail in Web Agents 4.1, 4.2 and 5.x running on Microsoft Windows 2008 R2 or 2012 with TLS 1.2 enabled

Last updated Dec 3, 2018

The purpose of this article is to provide assistance when Schannel (the built-in Secure Channel API for SSL/TLS communications) fails in Web Agents running on Microsoft® Windows® 2008 R2 or 2012 when TLS 1.2 is enabled. You will see a "creating security context failed (0x80090308)" error when this happens.


Symptoms

The web agent running on Microsoft Windows 2008 R2 or 2012 fails to create a connection to an AM server that only has TLS 1.2 enabled. This issue does not occur on Microsoft Windows 2016 or 2019 servers.

The following error is shown in the agent debug log when this happens:

net_client_handshake_loop(): creating security context failed (0x80090308)
wnet_connect(): failed to connect to 192.0.2.0:8443, error: -29
SSL/TLS connection to 192.0.2.0:8443 failed (operation not completed)
unable to connect to 192.0.2.0:8443

The 0x80090308 code signifies a SEC_E_INVALID_TOKEN error.

Recent Changes

N/A

Causes

The web agent cannot negotiate the acceptable cipher, which causes the connection to fail.

Solution

This issue can be resolved by applying the KB3140245 update: you can download this from: Microsoft Update Catalog: KB3140245.

See Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows for further information on this update.

See Also

FAQ: SSL/TLS secured connections in AM/OpenAM and Policy Agents

SSL in AM/OpenAM and Policy Agents

User Guide › Configuring Bootstrap Properties

Related Training

N/A

Related Issue Tracker IDs

N/A



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.
Loading...