0

I have deployed an Azure function app, While using the command Connect-AzureAD in one of the function is throwing the error "You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure AD"

Though the function App

  • has minimum tls version of 1.2
  • the .NET framework is 4.8.x
  • the other services like storage account etc. associated with the function app were using minimum TLS version of 1.2.

Function App details

Function runtime: Powershell

runtime version: 3.8.2.0

Any help regarding this issue would be helpful

Thomas
  • 24,234
  • 6
  • 81
  • 125
Ananda Bhavani Gedela
  • 21
  • 1
  • 6
  • https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/enable-support-tls-environment?tabs=azure-monitor – kavyaS Jul 27 '22 at 05:42
  • 1
    Could you try adding this commad before the `Connect-AzureAD` command: `[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12` – Thomas Jul 27 '22 at 05:55
  • Hi @Thomas, Thank you that command worked. Can you let me know what was the logic behind adding this command. And also it would be helpful if I can get any documentation regarding this for reference. Thanks – Ananda Bhavani Gedela Jul 27 '22 at 07:45
  • You can check this article: https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls#if-your-app-targets-net-framework-47-or-later-versions. I imagine the default value is not tls1.2 at the server level so you have to manually add that. – Thomas Jul 27 '22 at 08:01
  • There are some post related to that: https://stackoverflow.com/questions/36265534/invoke-webrequest-ssl-fails – Thomas Jul 27 '22 at 08:01
  • @AnandaBhavaniGedela where are you running this code? The only way to get such an error is to run on an unsupported and unpatched OS, eg Windows 7 or old versions of Windows Server. All supported OS versions use TLS1.2. If your *Azure Function* is trying to use anything less than TLS1.2, it's an infrastructure bug that should be fixed by Azure Support. Hard-coding the TLS version *prevents* you from using better algorithms like TLS1.3 found on Windows 11 and ... the Linux distros used to run many Azure services – Panagiotis Kanavos Jul 27 '22 at 08:37
  • @PanagiotisKanavos I am running this code on Azure function environment provided while deploying the azure function app. The os version it is providing is OS version: Microsoft Windows NT 10.0.14393.0 – Ananda Bhavani Gedela Jul 27 '22 at 10:35
  • Using what settings? According to [this similar question](https://learn.microsoft.com/en-us/answers/questions/938474/tls-verion-error-in-azure-function.html) the TLS version is a configurable setting. – Panagiotis Kanavos Jul 27 '22 at 10:36
  • Yes, I had configured to TLS1.2 – Ananda Bhavani Gedela Jul 27 '22 at 12:26

3 Answers3

3

Got this error as well, the weird part was that when running the command [Net.ServicePointManager]::SecurityProtocol it looked like I was using Tls12.

Error:

Error Acquiring Token: AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security postur e of Azure AD. Your TenantID is: 00000000-0000-0000-0000-000000000000. Please refer to https://go.microsoft.com/fwlink/?linkid=2161187 and conduct needed actions to remediate the issue. For further questions, please contact your administrator

Got it working by first setting TLS to 1.3 like this:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls13

This gave me an exception when trying to connect.

Then I used the command below to set it back to Tls12 and then everything worked:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Ogglas
  • 62,132
  • 37
  • 328
  • 418
2

Upgrading the httpRuntime targetFramework attribute in the web.config from 4.5.2 to 4.8 solved it for me.

benjaminoerskov
  • 200
  • 2
  • 5
0

From the Kudu console, you could check the existing SecurityProtocol:

PS C:\home> [Net.ServicePointManager]::SecurityProtocol
[Net.ServicePointManager]::SecurityProtocol
Ssl3, Tls

From the documentation :

ServicePointManager, using .NET Framework 4.7 and later versions, will use the default security protocol configured in the OS. To get the default OS choice, if possible, don't set a value for the ServicePointManager.SecurityProtocol property, which defaults to SecurityProtocolType.SystemDefault.

Because the SecurityProtocolType.SystemDefault setting causes the ServicePointManager to use the default security protocol configured by the operating system, your application may run differently based on the OS it's run on. For example, Windows 7 SP1 uses TLS 1.0 while Windows 8 and Windows 10 use TLS 1.2.

According to the documentation, you could try setting the security protocol to system default by adding this command at the beginning of your script:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::SystemDefault

Alternatively, it not working you could force using specific version:

[Net.SecurityProtocolType]::Tls12
[Net.SecurityProtocolType]::Tls13
Thomas
  • 24,234
  • 6
  • 81
  • 125
  • 1
    This doesn't "force" the use of TLS1.2, it *prevents* the use of TLS1.3 or better. That's what quote you included says. It says that in all *supported* OSs TLS1.2 will be the default – Panagiotis Kanavos Jul 27 '22 at 08:34
  • An Azure Function trying to use a deprecated algorithm is an infrastructure bug that should be fixed by Azure Support. Downgrading security isn't a solution. – Panagiotis Kanavos Jul 27 '22 at 08:38