The SChannel registry configuration is used to disable SSL 3.0, and weak ciphers on IIS.
Follow the steps below to disable the insecure protocols used by IIS:
- Open the Registry Editor on the server where the VMware Authentication Proxy is installed and run it as an administrator.
- Navigate to the following location in the Registry Editor window:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\
- In the navigation tree, right-click on Protocols, and click New > Key.
- Enter SSL 3.0 as the key name.
- Right-click on SSL 3.0, and click New > Key to create a SSL 3.0 key.
- Name the SSL 3.0 key as Client.
- Repeat step 5 to create another SSL 3.0 key and name it as Server.
- Right-click on the Client key, and select New > DWORD (32-bit) Value.
- Enter DisabledByDefault as the value name.
- Double-click DisabledByDefault, and enter 1 as the data value.
- Click OK.
- Right-click on the Server key, and select New > DWORD (32-bit) Value.
- Enter Enabled as the value name.
- Double-click Enabled, and enter 0 as the value data.
- Click OK.
- Restart the server
To enable protocols such as TLS 1.1 and TLS 1.2, follow the steps listed above to create Client and Server keys under the required protocols. Under the Client and Server keys, add the DWORD (32-bit) values for DisabledByDefault and Enabled as 0 and 1 respectively as shown in the example below.
- SCHANNEL\Protocols\TLS 1.1\Client
- DWORD "Enabled" = 1
- DWORD "DisabledByDefault" = 0
- SCHANNEL\Protocols\TLS 1.1\Server
- DWORD "Enabled" = 1
- DWORD "DisabledByDefault" = 0
For more information on disabling other protocols and cipher suites, please refer https://support.microsoft.com/en-us/kb/245030
Additional Information
For translated versions of this article, see: