0

We recently made the registry changes to force our system to only use TLS 1.1 and 1.2 and disable anything TLS 1.0 and lower. Most of our services are fine after the change except TFS 2013 and I can't find the fix for it. The web application is available over https but developers are having check-in issues from Visual Studio 2017. The build attempt goes into the queue and then fails after running for a few minutes. What's even weirder is I am having TFS admin console issues as well. Even though the web application is available in the admin console I get errors and am unable to open "Group Membership", "Administer Security", or test URLs under "Change URLs".

The server certs and IIS bindings are all configured properly for TLS 1.1+ (as I said, the web application is accessible) and I'm certain the registry changes to enable TLS 1.1+ and disable all others is the cause because rolling back the changes removed all issues.

Anyone have any idea what is going on here and how to fix it?

Tony
  • 457
  • 3
  • 10
  • 22

1 Answers1

1

I had the same issue today. Please see http://www.diaryofaninja.com/blog/2016/02/28/pci-compliant-web-deploy-getting-webdeploy-working-after-disabling-insecure-ciphers-like-ssl-30-and-tls-10

This solved the problem for us.

In case the above link becomes broken in the future, here is the solution:

.NET has a setting called “useStrongCrypto” that allows the client PC to use TLS 1.1 and higher. By default it is not turned on. In order to force .NET to use this feature 2 or more registry edits are required. These keys likely won't exist, so they will need to be added, or if they exist they will have a value of 0.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto = 00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto = 00000001

There may be several keys under the second one's .NETFramework, depending on which versions of .NET are installed. It is a good idea to add the SchUseStrongCrypto under each of them to avoid issues in the future. If/when a new version of .NET is installed this may have to be done again.

Dave M
  • 4,494
  • 21
  • 30
  • 30
poggialb
  • 26
  • 1