Best security practice is to use the latest version of TLS available - 1.2. Microsoft does not enable TLS 1.2 by default in many current Operating Systems. How do we enable TLS 1.2 communications in our Workflow Server?
Symptoms of insufficiently configured TLS 1.2 will include Reports and pages including report web parts malfunctioning with the error message below.
System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
To use TLS 1.2 perform the following steps on your environment.
If desired, On a test system verify current TLS settings by downloading and running IISCrypto.exe from the desktop (does not install anything). Download from: https://www.nartac.com/Products/IISCrypto
Make changes necessary to the OS to accommodate TLS 1.2 Save this section below as a .reg (AddTLS.reg) and execute on system to enable TLS 1.2 Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Disabledbydefault"=dword:00000000 "Enabled"=dword:00000001 You can also install a Registry change via Task Script or Managed Software Policy in Altiris by using the command line: reg import "AddTLS.reg" NOTE: A system reboot is required after making this change to Registry
Verify TLS settings changed by using IISCrypto.exe
Process Manager does directly enable the use of TLS 1.2 which causes .NET to default to lower versions. For .NET 4.5/4.5.1/4.5.2, use of TLS 1.2 can be forced by using a registry value. The value to add is a DWORD value SchUseStrongCrypto set to 1 in the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001
Subscribing will provide email updates when this Article is updated. Login is required.