AWS/Azure/OpenShift/Kubernetes

Unable to install Azure AD Connect, TLS 1.2 is required: How to enable or disable TLS 1.2 on a Windows Server via the Registry and PowerShell

TLS1.2

Transport Layer Security (TLS) is a protocol that provides communications over a computer network, typically between a website and a browser. for your information. The primary goal of TLS is to provide a secure channel between two communicating peers and the only requirement from the underlying transport is a reliable, in-order data stream. Specifically, the secure channel should provide the following properties: Authentication: The server side of the channel is always authenticated; the client side is optionally authenticated. Authentication can happen via asymmetric cryptography (e.g., RSA [RSA], the Elliptic Curve Digital Signature Algorithm (ECDSA) [ECDSA], or the Edwards-Curve Digital Signature Algorithm (EdDSA) [RFC8032]) or a symmetric pre-shared key (PSK). Confidentiality: Data sent over the channel after establishment is only visible to the endpoints. TLS does not hide the length of the data it transmits, though endpoints are able to pad TLS records in order to obscure lengths and improve protection against traffic analysis techniques. Integrity: Data sent over the channel after establishment cannot be modified by attackers without detection. See the following articles for Azure AD Pass-Through Authentication with on-Premise AD, reasons to deploy AAD, and how to set up an Azure AD Tenant. Also, see the following article on how to add a custom domain in the Azure Active directory.

What are the Main Differences between TLS 1.2 vs TLS 1.3? TLS 1.3 offers several improvements over earlier versions, most notably a faster TLS handshake and simpler, more secure cipher suites. Zero Round-Trip Time (0-RTT) key exchanges further streamline the TLS handshake. Together, these changes provide better performance and stronger security.

TLS 1.0 and its deprecated predecessor, SSL are vulnerable to some well-known security issues such as POODLE and BEAST attacks. According to NIST, these vulnerabilities cannot be fixed or patched, therefore all organisations using these protocols SHOULD upgrade their systems. Azure Active Directory has deprecated the following protocols in Azure Active Directory worldwide regions on June 30, 2021: TLS 1.0, TLS 1.1, and 3DES cipher suite.
Differences between TLS 1.2 and TLS 1.3 Full Handshake
src: a10networks

The following error below will be prompted when you wish to install Azure AD Connect in order to synchronize your on-premises AD with Azure AD if you do not have TLS 1.2 enabled at the time of writing this article.
– Note: Other prerequisites have to be met as described in this link.

TLSrequired

Part A: The Windows server that hosts the Azure AD Connect cloud provisioning agent must have TLS 1.2 enabled before you install it. To enable TLS 1.2, follow these steps. Changing the TLS setting will affect the entire forest.
Solution 1 – Via PowerShell: You can use the following PowerShell script to enable TLS 1.2 on your Azure AD Connect server.

New-Item 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
    
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.2 has been enabled.'

Create a text file and save it with a name of your choice with the “.ps1” extension as shown below.

Screenshot-2021-08-09-at-23.17.43

When you are done creating the script, navigate to the directory where the file was saved and run the PowerShell script as shown below.
– We have successfully enabled TLS 1.2 on the server.

Screenshot-2021-08-09-at-23.23.40

Solution 2: To force the Azure AD Connect server to only use TLS 1.2, the Windows server registry must be updated. Set the following registry keys on the Azure AD Connect server. Here is a similar guide on “how to target WSUS clients with the registry keys“.
– Set the following registry keys by launching regedit.exe. You may want to see this guide for the needed steps to launch the registry.

HKEY_LOCAL_MACHINE \ SOFTWARE \ WOW6432Node \ Microsoft \ .NETFramework \ v4.0.30319]
"SystemDefaultTlsVersions" = dword: 00000001
"SchUseStrongCrypto" = dword: 0000001
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ .NETFramework \ v4.0.30319]
"SystemDefaultTlsVersions" = dword: 00000001
"SchUseStrongCrypto" = dword: 00000001
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols \ TLS 1.2 \ Server]
"Enabled" = dword: 00000001
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols \ TLS 1.2 \ Server]
"DisabledByDefault" = dword: 00000000
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols \ TLS 1.2 \ Client]
"Enabled" = dword: 00000001
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols \ TLS 1.2 \ Client]
"DisabledByDefault" = dword: 00000000

Create a text file and save it with a name of your choice with the “.reg” extension as shown below.

Screenshot-2021-08-09-at-23.53.02

When you are done creating the script, navigate to the directory where the file was saved and double click on it.

Screenshot-2021-08-09-at-23.32.39

As you can see, TLS 1.2 is enabled via the registry.

Screenshot-2021-08-09-at-23.51.21

Part B – Disable TLS settings using Registry Editor: Open Run command by pressing Windows + R and type Regedit and hit enter. Navigate to the following path. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.
– Once you followed the path you can see Three or maybe four folders under Protocols, TLS1.0, TLS1.1, TLS1.2, If you expand these folders you can see the client and server folder.
– If you want to disable TLS1.0 expand the TLS1.0 and click on the client folder from the right-hand side you can see two D-Word values DisabledByDefault and Enabled. To enable or disable this TLS right click on the D-Word value and modify it.

Alternatively, you can also use the script to disabling TLS 1.2 as shown below.

Via the Registry – Disable TLS 1.2: Run the following keys

[HKEY_LOCAL_MACHINE \ SOFTWARE \ WOW6432Node \ Microsoft \ .NETFramework \ v4.0.30319]
"SystemDefaultTlsVersions" = dword: 00000000
"SchUseStrongCrypto" = dword: 0000000
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ .NETFramework \ v4.0.30319]
"SystemDefaultTlsVersions" = dword: 00000000
"SchUseStrongCrypto" = dword: 00000000
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols \ TLS 1.2 \ Server]
"Enabled" = dword: 00000000
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols \ TLS 1.2 \ Server]
"DisabledByDefault" = dword: 00000001
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols \ TLS 1.2 \ Client]
"Enabled" = dword: 00000000
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols \ TLS 1.2 \ Client]
"DisabledByDefault" = dword: 00000001

Via the PowerShell – Disable TLS 1.2: Run the following commands

New-Item 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
    
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.2 has been disabled.'

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x