TLS Encryption Errors (TLSAcceptSecurityContext failed 80070649) or "The encryption component failed" error messages.

Document ID : KB000003974
Last Modified Date : 02/03/2018
Show Technical Document Details

When running a software delivery job check or a "caf ping", you notice some errors are reported:

Figure 1Figure 2

In the TRC_USD_SDAGENT*.log, you'll observe the following TLS encryption error:

Figure 3

The error seen is, TLSAcceptSecurityContext failed 80070649.


Another symptom is quite simply a CAF PING fails:

Figure 4

The error seen is, "The encryption component failed."

Client Automation (ITCM) -- any version.

There are three common root causes:

1- The system time on one or both connecting endpoints is wrong.

2- The certificates being used are incompatible, e.g. your environment uses custom ITCM certificates, and one of the endpoints is using the out of the box ITCM certificates, rather than the custom ones.

3- Compatibility difference between CAPKI between the two endpoints.  This can typically happen if more than one CA product is installed on one of the endpoints, that may have a conflicting/incompatible version of CAPKI installed.


The solution will vary depending on the cause of the problem:

1- Ensure the system clock on the endpoint, including time zone, is set correctly and not off by more than 10 minutes.

2- Run a "cacertutil list" on both endpoints, and check for organization differences in the output, for example:

CN=DSM Root,O=Computer Associates,C=US
CN=DSM Root,O=Forward Inc,C=US

In this example, one endpoint is using out of the box ITCM certificates, and the other is using "Forward Inc" generated custom certificates.

3- Upgrade CAPKI to the latest version

The version of CAPKI can be checked in the registry:

Figure 5

If an older version is found, you can locate the latest version from your ITCM install media:
<install media root>\WindowsProductFiles_x86\CAPKI\setup.exe

Run: setup install caller=CADSM

This will upgrade the CAPKI installation on the endpoint.