2

This is resulting from an outbound connection to Equifax's new TLS 1.2-enabled URL.

Background: Servers: Windows 2012 R2, .NET 4.6.2, all TLS 1.x Enabled in Test, Stage and Production tiers per this. IIS configurations match between servers (app pools/code except tier-specific configurations/IIS settings.)

Servers are load balanced via Citrix Netscaler, but this site uses Port 80/HTTP, no HTTPS configuration.

Both tiers use the same Equifax URL, but with tier-specific credentials.

The Situation: Prod will not communicate with their site, we get the opening error.

Our stage environment has no problem communicating.

What we have done: - Validated TLS reg settings match - Swapped the prod web.config to the Stage server and the communication worked, so it seems unlikely that it is a web.config issue in production. - Validated .NET versions - Checked LSA fips reg setting (set to 0) - checked for wonky updates known to cause issues

We are going to setup a network trace, but for the moment we are at a bit of a loss. I would appreciate any insights as to what I might be missing.

Chris Wright
  • 41
  • 1
  • 1
  • 6
  • I think it has to be some issue on the Production server. Check this thread as it may be helpful https://social.technet.microsoft.com/Forums/ie/en-US/5a67654d-a146-4c8c-a94a-f6766c7835e5/the-tls-protocol-defined-fatal-error-code-is-40-the-windows-schannel-error-state-is-808?forum=winserver8gen – Mohsin Mehmood May 25 '18 at 18:05
  • Before network trace is collected and analyzed, I suggest no guess and no waste of your time. – Lex Li May 25 '18 at 18:23
  • @MohsinMehmood Already checked that and a number of other documents. I suspect the trace we are doing today is the only way I am going to figure out what the issue is. I'll post results and a resolution if I find one. – Chris Wright May 29 '18 at 14:12
  • I can confirm from the trace that for some reason the stage server is defaulting to TLS 1.2, whereas the Prod server is defaulting to TLS 1.0. Anyone hear of this? – Chris Wright May 29 '18 at 14:54
  • @ChrisWright I suggest you install https://www.nartac.com/Products/IISCrypto tool for checking and enabling/disabling TLS protocols – Mohsin Mehmood May 29 '18 at 15:34
  • @MohsinMehmood Thanks, it is nice and easier, but it still shows both my Prod and Stage servers are configured exactly the same. Is it possible that Windows 2012R2 would not be defaulting to use the highest security level available for some reason? That seems to be the issue. – Chris Wright May 29 '18 at 15:50
  • @all Asking the devs to add explicit reference to their .NET version I the new code to force TLS 1.2, or rather, to use highest TLS version available first. https://stackoverflow.com/questions/45382254/update-net-web-service-to-use-tls-1-2 and https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls. We'll see if this works. – Chris Wright May 29 '18 at 16:03
  • 1
    We found the fix, it was mostly code and config changes for the devs.1. Added the specification of using 4.6 per Microsoft recommendations. 2. Updated some other .NET references in the web.config to point specifically to .NET 4.6.2 repository 3. Developer made some changes in some older code pieces to make them 4.6.2-compliant. – Chris Wright May 29 '18 at 18:55

1 Answers1

0

Developers had to do the following:

  1. Added the specification of using 4.6 per Microsoft recommendations.
  2. Updated some other .NET references in the web.config to point specifically to 4.6.2
  3. They made some changes in some older code pieces to make them 4.6.2-compliant.
Chris Wright
  • 41
  • 1
  • 1
  • 6