BizTalk 2016 Administrator fails with forced tls1.1+

Question

We have a requirements to use TLS1.2 on all servers. This means forcing TLS1.2 system wide using the registry settings below. When I set these settings and reboot the server, I get the below error message when expanding the BizTalk Group menu in BizTalk Administrator. In this particular environment, everything is running all on one operating system/server. Keep in mind, that if I enable TLS1.0 in the registry, everything works fine.

I've read several articles stating that ever since .NET 4.5, TLS1.1/1.2 are supported so...whats the issue here?

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"AspNetEnforceViewStateMac"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"AspNetEnforceViewStateMac"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

OS:Windows Server 2016 SQL Version:SQL Server 2016 BizTalk Version:BizTalk Enterprise 2016 CU3 .NET Version 4.7

Yes, appears to be the OLEDB driver BizTalk itself is using. Trying to figure out how to determine the version of OLEDB driver and maybe update it... — Bee, Sep 28 '17 at 21:42
According to the reply from a Microsoft person [here](https://social.technet.microsoft.com/Forums/security/en-US/08cd1188-4de4-4de0-9cc0-f951c61db9f6/could-not-establish-secure-channel-for-ssltls-with-authority-tls1testsalesforcecom?forum=biztalkgeneral), BizTalk core is not compatible without TLS1.0. This is a showstopper for us.... — Bee, Sep 28 '17 at 22:31
What we have done is written custom end point behaviour that sets the TSL version on the send ports that need it. Initially following this post to change the Sales Force OAuth component https://biztalkbox.wordpress.com/2016/08/09/salesforce-disabling-tls-1-0-how-to-get-it-working-for-api-calls-via-biztalk/ Later as a stand alone component. I've asked if I'm allowed to open source this, waiting for approval. — Dijkgraaf, Sep 29 '17 at 00:28
See also https://social.technet.microsoft.com/Forums/Lync/en-US/46a6d3ac-3a05-4742-bfbf-71fcc435589a/does-biztalk-server-2013-support-tls12?forum=biztalkgeneral In particular the final answer by Rajshekher-BT — Dijkgraaf, Sep 29 '17 at 00:33
Thanks for the response, but as I state in the original post, the issue is when we disable TLS1.0 system-wide. This is not an adapter issue, its an issue with Biztalk app server connecting to the Biztalk DB via TLS1.1 or TLS 1.2. — Bee, Sep 29 '17 at 16:47
Yes, which is why I haven't posted it as an answer. The answer basically is that it currently is not supported. I've raised it on User Voice https://biztalk.uservoice.com/forums/383724-biztalk-server/suggestions/31692256-biztalk-adapters-should-be-able-either-negotiate-h — Dijkgraaf, Oct 01 '17 at 17:09

Dijkgraaf · Answer 1 · 2019-07-21T20:42:11.353

Update: With Feature Pack 2 for BizTalk 2016 or CU5 it is supported.

Original answer Unfortunately you cannot do that, as per the answer by Rajshekher-BT from Microsoft in Does BizTalk Server 2013 support TLS1.2? see below.

I raised it on User Voice (but that site is gone now)

BizTalk core engine needs TLS 1.0 to operate the host so you cannot disable TLS in registry. However you can have both TLS 1.0 and TLS 1.2 enabled and let .NET/WCF-based adapters prefer to use TLS 1.2 with SchUseStrongCrypto=1 registry key.

Some web servers may try to negotiate, while others fail on first attempt. In case you have different TLS settings in different WCF http end points, you can use WCF custom behaviour to set. You should then keep all TLS 1.0 in one host and all TLS 1.2 integration end points in another host using.
1. Make sure to keep both TLS 1.0 and TLS 1.2 enabled
2. Don’t set SchUseStrongCrypto registry key.
3. The default behavior at this point will TLS 1.0 (with fallback to SSL3) so for any WCF send port that needs TLS 1.2, set the System.Net.ServicePointManager.SecurityProtocol property using a custom endpoint behavior within a WCF-Custom send port.

If you want to allow fallback logic, you can OR it as follows: System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12 | System.Net.SecurityProtocolType.Tls11 | System.Net.SecurityProtocolType.Tls | System.Net.SecurityProtocolType.Ssl3;
It is probably best to have one custom behavior for TLS 1.0 and one for TLS 1.2 so you are explicit and know what you use and it fails when something changes. Make sure to not mix the different WCF behaviors in the same host as ServicePointManager is a global process setting.

Personally I've used a configurable End Point behaviour as detailed in Salesforce disabling TLS 1.0 – How to get it working for API calls via BizTalk

BizTalk 2016 Administrator fails with forced tls1.1+

1 Answers1