Transport Layer Security (TLS) 1.2 is a cryptographic protocol designed to provide secure communications by ensuring privacy and data integrity. Microsoft has made TLS 1.2 the minimum requirement for many cloud services, including Microsoft Entra Connect. This article provides step-by-step guidance to enforce TLS 1.2 for Microsoft Cloud applications, including ASP.NET apps, and for Microsoft Entra Connect servers.
Why TLS 1.2 Is Critical
TLS 1.2 offers enhanced encryption and security compared to earlier versions, making it essential for secure communication in cloud environments. Microsoft Entra Connect version 1.2.65.0 and later fully supports TLS 1.2, and version 2.3.20.0 or later requires TLS 1.2 to function.
If TLS 1.2 is not enabled on your server, you must enable it before deploying or upgrading to Microsoft Entra Connect version 2.0 or later.
Solutions to Enforce TLS 1.2
The steps to enforce TLS 1.2 vary depending on the application or service being configured. Below are detailed solutions for common scenarios.
1. For ASP.NET Web Applications
- Update the Target Framework
Ensure the application’s target framework is set to 4.6.2 or higher. Using a higher version improves performance and security. - Modify the Web.Config File
Update theWeb.Config
file to specify the target framework:<system.web> <httpRuntime targetFramework="4.7.2" /> </system.web>
For supported .NET Framework versions, refer to the Microsoft .NET Framework Lifecycle.
2. If You Cannot Update the Web.Config
If modifying the Web.Config
file is not possible, use the following workaround by adding this code at the start of your application:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Ssl3;
This ensures your application explicitly uses TLS 1.2 for secure communication.
3. Enforcing TLS 1.2 for Microsoft Entra Connect
Microsoft Entra Connect servers must have TLS 1.2 enabled to ensure secure communication with Azure. Follow these steps to enforce TLS 1.2:
Update the Registry
Update the registry on the Microsoft Entra Connect server to enforce TLS 1.2. Use the following registry keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
Important: After updating the registry, restart the Windows server for the changes to take effect.
4. Using PowerShell Scripts
Check TLS 1.2 Settings
You can use the following PowerShell script to verify the current TLS 1.2 settings on your Microsoft Entra Connect server:
Function Get-ADSyncToolsTls12RegValue {
[CmdletBinding()]
Param (
[Parameter(Mandatory=$true)]
[string] $RegPath,
[Parameter(Mandatory=$true)]
[string] $RegName
)
$regItem = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction Ignore
$output = "" | select Path, Name, Value
$output.Path = $RegPath
$output.Name = $RegName
$output.Value = $regItem.$RegName -ne $null ? $regItem.$RegName : "Not Found"
$output
}
$regSettings = @()
$regPaths = @(
'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319',
'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319',
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server',
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'
)
foreach ($regPath in $regPaths) {
$regSettings += Get-ADSyncToolsTls12RegValue $regPath 'SystemDefaultTlsVersions'
$regSettings += Get-ADSyncToolsTls12RegValue $regPath 'SchUseStrongCrypto'
}
$regSettings
Enable TLS 1.2
To enforce TLS 1.2, use the following PowerShell script:
New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.2 has been enabled. Restart the server for changes to take effect.'
Final Thoughts
Enforcing TLS 1.2 is a critical step in maintaining secure communication and compliance with Microsoft Cloud and Azure services. Whether you are configuring ASP.NET applications or Microsoft Entra Connect servers, the solutions provided here will help you ensure compatibility and security.
For more information, refer to the official Microsoft documentation: