1/28/18

Configure TLS 1.2 on BizTalk Server

This is official announcement about TLS 1.2 support in BizTalk Server 2016. I am highlighting the comments from Microsoft official page as a reference
TLS 1.2 supportTLS 1.2 is fully supported in BizTalk Server, including all the adapters and all the accelerators. You can disable SSL, TLS 1.0, and TLS 1.1 on the BizTalk Server.Key information:
  • Any external systems communicating with BizTalk also need to support TLS 1.2
  • Any custom code, such as functoids, may need to be updated to support TLS 1.2
Description of the TLS/SSL protocol describes how to setup a TLS 1.2 environment.
Though for lower version like 2013 or 2010 this is not straight forward to use TLS 1.2. You have to do some tricky exercise to enable TLS 1.2. Please follow below steps to enable TLS 1.2.

Generally you have seen below types of error when trying to connect any external service which are already utilizing the security protocol TLS 1.2,

  • SSL Security error.
  • [DBNETLIB][ConnectionOpen (SECCreateCredentials()).]SSL Security error. 
  • Could not create SSL/TLS secure channel.
  • The remote server returned an error: (403) Forbidden. 
No need to worry about :) We have solution now to enable TLS 1.2 on your BizTalk server. 

Let's start for BizTalk 2010 first:
BizTalk server 2010 supports .NET Framework v4.0 and this version of Framework support only SSL v3.0 and TLS v1.0. However Framework v4.5, does support the use of TLS 1.1 and TLS 1.2. So now Framework 4.5 require to install on BizTalk machine to establish a connection between both systems, let's do it

The installer of this version of the framework can, of course, be downloaded from the Microsoft-site:

That was 1st step, still TLS 1.2 is not yet configured. You have to enable it now with update the registry setting. Let's see step by step how we can do this,

Note: Before making any change in Registry, I would strongly recommended to take a backup of registry.

Create the below keys and matching DWORDs at highlighted place,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001

Now, set the .NET Framework 4.0 to use the latest version of the SecurityProtocol, by creating the DWORDs mentioned below, for both 32- and 64-bit hosts.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

Reboot the BizTalk server in order for the changes to come into effect.

All set to go now, test your connection for that you can use Wireshark to check the version of protocol.

Now configure for BizTalk 2013/R2:
BizTalk server 2013/R2 supports .NET Framework v4.5.x and this version of Framework support TLS v1.2 also. So here you need to configure registry only. Please follow above steps and you should ready to go. Test again with the same application.

4 comments:

  1. Since I have set the Registry keys and dwords and rebooted my test Server all Service Instances are stuck in Status dehydrated. Any ideas?

    ReplyDelete
    Replies
    1. Thanks for read this blog and asking question here, Can you check in event log why these instances are stuck or dehydrating, I am not sure this is something because of TLS. But 1st check and let me know if needed any assistance.

      Delete
  2. Hi Kamlesh,
    Thanks for writing the steps for enabling support for Tls 1.2. I am using BizTalk 2016 with FP2 installed. Do I need to make any other changes to the biztalk artifacts (port etc) or registry to make sure that 1.2 works.
    I have a web service which will soon stop support for tls 1.0. Wanted to know if I should implement any custom behaviours to enforce 1.2 or is it negotiated by default by BizTalk 2016 fp2.

    ReplyDelete