Using TLS 1.2 for the Workflow Server
search cancel

Using TLS 1.2 for the Workflow Server

book

Article ID: 173499

calendar_today

Updated On:

Products

Workflow Solution

Issue/Introduction

Best security practice is to use the latest version of TLS available - 1.2.  Microsoft does not enable TLS 1.2 by default in many current Operating Systems.  How do we enable TLS 1.2 communications in our Workflow Server?

Symptoms of insufficiently configured TLS 1.2 will include Reports and pages including report web parts malfunctioning with the error message below.

System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm

Resolution

To use TLS 1.2 perform the following steps on your environment.

  1. If desired, On a test system verify current TLS settings by downloading and running IISCrypto.exe from the desktop (does not install anything).  Download from: https://www.nartac.com/Products/IISCrypto
  2. Make changes necessary to the OS to accommodate TLS 1.2
    Save this section below as a .reg (AddTLS.reg) and execute on system to enable TLS 1.2
            Windows Registry Editor Version 5.00
            [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols]
            [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
            [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
            "DisabledByDefault"=dword:00000000
            "Enabled"=dword:00000001
            [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
            "Disabledbydefault"=dword:00000000
            "Enabled"=dword:00000001
    You can also install a Registry change via Task Script or Managed Software Policy in Altiris by using the command line: reg import "AddTLS.reg"
    NOTE: A system reboot is required after making this change to Registry
  3. Verify TLS settings changed by using IISCrypto.exe

  4. Process Manager does directly enable the use of TLS 1.2 which causes .NET to default to lower versions. For .NET 4.5/4.5.1/4.5.2, use of TLS 1.2 can be forced by using a registry value.
    The value to add is a DWORD value SchUseStrongCrypto set to 1 in the following registry key:
            [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
            "SchUseStrongCrypto"=dword:00000001

Powered by Wolken Software