How to Enforce TLS 1.2 for Microsoft Cloud Applications and Microsoft Entra Connect

by

Transport Layer Security (TLS) 1.2 is a cryptographic protocol designed to provide secure communications by ensuring privacy and data integrity. Microsoft has made TLS 1.2 the minimum requirement for many cloud services, including Microsoft Entra Connect. This article provides step-by-step guidance to enforce TLS 1.2 for Microsoft Cloud applications, including ASP.NET apps, and for Microsoft Entra Connect servers.

Why TLS 1.2 Is Critical

TLS 1.2 offers enhanced encryption and security compared to earlier versions, making it essential for secure communication in cloud environments. Microsoft Entra Connect version 1.2.65.0 and later fully supports TLS 1.2, and version 2.3.20.0 or later requires TLS 1.2 to function.

If TLS 1.2 is not enabled on your server, you must enable it before deploying or upgrading to Microsoft Entra Connect version 2.0 or later.

Solutions to Enforce TLS 1.2

The steps to enforce TLS 1.2 vary depending on the application or service being configured. Below are detailed solutions for common scenarios.

1. For ASP.NET Web Applications

  • Update the Target Framework
    Ensure the application’s target framework is set to 4.6.2 or higher. Using a higher version improves performance and security.
  • Modify the Web.Config File
    Update the Web.Config file to specify the target framework:<system.web> <httpRuntime targetFramework="4.7.2" /> </system.web> For supported .NET Framework versions, refer to the Microsoft .NET Framework Lifecycle.

2. If You Cannot Update the Web.Config

If modifying the Web.Config file is not possible, use the following workaround by adding this code at the start of your application:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Ssl3;

This ensures your application explicitly uses TLS 1.2 for secure communication.

3. Enforcing TLS 1.2 for Microsoft Entra Connect

Microsoft Entra Connect servers must have TLS 1.2 enabled to ensure secure communication with Azure. Follow these steps to enforce TLS 1.2:

Update the Registry

Update the registry on the Microsoft Entra Connect server to enforce TLS 1.2. Use the following registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

Important: After updating the registry, restart the Windows server for the changes to take effect.

4. Using PowerShell Scripts

Check TLS 1.2 Settings

You can use the following PowerShell script to verify the current TLS 1.2 settings on your Microsoft Entra Connect server:

Function Get-ADSyncToolsTls12RegValue {
    [CmdletBinding()]
    Param (
        [Parameter(Mandatory=$true)]
        [string] $RegPath,
        [Parameter(Mandatory=$true)]
        [string] $RegName
    )
    $regItem = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction Ignore
    $output = "" | select Path, Name, Value
    $output.Path = $RegPath
    $output.Name = $RegName
    $output.Value = $regItem.$RegName -ne $null ? $regItem.$RegName : "Not Found"
    $output
}

$regSettings = @()
$regPaths = @(
    'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319',
    'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319',
    'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server',
    'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'
)

foreach ($regPath in $regPaths) {
    $regSettings += Get-ADSyncToolsTls12RegValue $regPath 'SystemDefaultTlsVersions'
    $regSettings += Get-ADSyncToolsTls12RegValue $regPath 'SchUseStrongCrypto'
}

$regSettings

Enable TLS 1.2

To enforce TLS 1.2, use the following PowerShell script:

New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.2 has been enabled. Restart the server for changes to take effect.'

Final Thoughts

Enforcing TLS 1.2 is a critical step in maintaining secure communication and compliance with Microsoft Cloud and Azure services. Whether you are configuring ASP.NET applications or Microsoft Entra Connect servers, the solutions provided here will help you ensure compatibility and security.

For more information, refer to the official Microsoft documentation:

Leave a Comment