A packet capture of the enrollment process shows a failed TLS handshake. The SPE server sends the Client Hello. The Cloud Console server responds with an ACK packet, followed by an Alert (Level: Fatal, Description: Handshake Failure) packet. This alert packet specifies Handshake Failure (40). The cloud console then sends a FIN ACK packet.
When the enrollment process starts, the CAF agent service is started and attempts to make a TLS connection to the cloud console. If the operating system does not advertise a TLS cipher suite supported by the cloud console during the beginning of the TLS handshake, the communication will terminate, the service will stop, and this error will be thrown.
The server that SPE is installed on must advertise at least one cipher suite that is supported by the cloud console. We can confirm that the following cipher suite(s) are supported:
To ensure your server advertises these cipher suites, you must make configuration changes to the OS.
For Windows, please see the following Microsoft article: https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls.
Subscribing will provide email updates when this Article is updated. Login is required.