Using TLS 1.2 for the Workflow Server
search cancel

Using TLS 1.2 for the Workflow Server


Article ID: 173499


Updated On:


Workflow Solution


Best security practice is to use the latest version of TLS available - 1.2.  Microsoft does not enable TLS 1.2 by default in many current Operating Systems.  How do we enable TLS 1.2 communications in our Workflow Server?

Symptoms of insufficiently configured TLS 1.2 will include Reports and pages including report web parts malfunctioning with the error message below.

System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm


To use TLS 1.2 perform the following steps on your environment.

  1. If desired, On a test system verify current TLS settings by downloading and running IISCrypto.exe from the desktop (does not install anything).  Download from:
  2. Make changes necessary to the OS to accommodate TLS 1.2
    Save this section below as a .reg (AddTLS.reg) and execute on system to enable TLS 1.2
            Windows Registry Editor Version 5.00
            [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
            [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
            [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

    You can also install a Registry change via Task Script or Managed Software Policy in Altiris by using the command line: reg import "AddTLS.reg"
    NOTE: A system reboot is required after making this change to Registry
  3. Verify TLS settings changed by using IISCrypto.exe
  4. Process Manager does directly enable the use of TLS 1.2 which causes .NET to default to lower versions. For .NET 4.5/4.5.1/4.5.2, use of TLS 1.2 can be forced by using a registry value.
    The value to add is a DWORD value SchUseStrongCrypto set to 1 in the following registry key: