ForgeRock Identity Platform
Does not apply to Identity Cloud

Schannel communications fail in Web Agents 5, 5.5 and 5.6 running on Microsoft Windows 2008 R2 or 2012 with TLS 1.2 enabled

Last updated Jan 11, 2023

The purpose of this article is to provide assistance when Schannel (the built-in Secure Channel API for SSL/TLS communications) fails in Web Agents running on Microsoft® Windows® 2008 R2 or 2012 when TLS 1.2 is enabled. You will see a "creating security context failed (0x80090308)" error when this happens.

1 reader recommends this article


The web agent running on Microsoft Windows 2008 R2 or 2012 fails to create a connection to an AM server that only has TLS 1.2 enabled. This issue does not occur on Microsoft Windows 2016 or 2019 servers.

The following error is shown in the agent debug log when this happens:

net_client_handshake_loop(): creating security context failed (0x80090308) wnet_connect(): failed to connect to, error: -29 SSL/TLS connection to failed (operation not completed) unable to connect to

The 0x80090308 code signifies a SEC_E_INVALID_TOKEN error.

Recent Changes



The web agent cannot negotiate the acceptable cipher, which causes the connection to fail.


This issue can be resolved by applying the KB3140245 update: you can download this from: Microsoft Update Catalog: KB3140245.

See Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows for further information on this update.

See Also

FAQ: SSL/TLS secured connections in AM and Agents

SSL in AM and Agents

Bootstrap properties

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.