Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8958: MFA with DirectControl fails with SSL connection error

Centrify DirectControl ,  

14 July,17 at 03:45 PM

Applies to: Centrify Direct Control 5.3.1-402 and above on all supported platforms

Problem:
When attempting to log in with a user that requires MFA the following error is presented:
SSL Connection Error

Cause:
This error is due to a certificate problem. A required certificate may be missing or unable to be read. 
Note:
Please ensure the Centrify Direct Control agent is 5.3.1-402 or greater.

Resolution:
Please run the following to check for errors: 
/usr/share/centrifydc/bin/adcdiag

Open the log created by this utilitiy and check for the following error message:
Trying SPNEGO (GSSAPI/Kerberos) negotiation failed.

Solution/Troubleshooting Steps:
1. Check if Cloud connector certificate was properly uploaded to the machine: KB-8868:How to configure MFA for Centrify agent 5.4.0 or above with matched certificate?
Download the IWA root CA certificate:
Setting->Network->Cloud Connectors->Cloud Connector configuration->IWA Service" page on cloud admin portal
Apply to GP:
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities.
Run:
adgpupdate
Check:
/var/centrify/net/certs if the certificates have been added. 
          2. Check if "Enable Web Server" is set and HTTPS is enabled for this connector 
          3. Check if "Allow IWA connections" is set under "Policy->Default Policy->User Security Policies->Login              Authentication".
          4. Check if Centrify cloud connector is running properly.
          5. Check if Centrify cloud connector is listening on the Web Server port (Default 8443). 

If you upgraded to 5.4.1 please review:
KB-8961: MFA with DirectControl fails after upgrading to 5.4.1

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.