ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Using TLS 1.2 for the Workflow Server

book

Article ID: 173499

calendar_today

Updated On:

Products

Workflow Solution

Issue/Introduction

Best security practice is to use the latest version of TLS available - 1.2.  Microsoft does not enable TLS 1.2 by default in many current Operating Systems.  How do we enable TLS 1.2 communications in our Workflow Server?

Symptoms of insufficiently configured TLS 1.2 will include Reports and pages including report web parts malfunctioning with the error message below.

System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm

Resolution

To use TLS 1.2 perform the following steps on your environment.

  1. If desired, On a test system verify current TLS settings by downloading and running IISCrypto.exe from the desktop (does not install anything).  Download from: https://www.nartac.com/Products/IISCrypto
  2. Make changes necessary to the OS to accommodate TLS 1.2
    Save this section below as a .reg (AddTLS.reg) and execute on system to enable TLS 1.2
            Windows Registry Editor Version 5.00
            [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols]
            [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
            [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
            "DisabledByDefault"=dword:00000000
            "Enabled"=dword:00000001
            [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
            "Disabledbydefault"=dword:00000000
            "Enabled"=dword:00000001

    You can also install a Registry change via Task Script or Managed Software Policy in Altiris by using the command line: reg import "AddTLS.reg"
    NOTE: A system reboot is required after making this change to Registry
  3. Verify TLS settings changed by using IISCrypto.exe
  4. Process Manager does directly enable the use of TLS 1.2 which causes .NET to default to lower versions. For .NET 4.5/4.5.1/4.5.2, use of TLS 1.2 can be forced by using a registry value.
    The value to add is a DWORD value SchUseStrongCrypto set to 1 in the following registry key:
            [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
            "SchUseStrongCrypto"=dword:00000001