Configure TLS 1.2 on BizTalk Server

This is an official announcement about TLS 1.2 support in BizTalk Server 2016. I am highlighting the comments from Microsoft official page as a reference,

TLS 1.2 supportTLS 1.2 is fully supported in BizTalk Server, including all the adapters and all the accelerators. You can disable SSL, TLS 1.0, and TLS 1.1 on the BizTalk Server.Key information:

  • Any external systems communicating with BizTalk also need to support TLS 1.2
  • Any custom code, such as functoids, may need to be updated to support TLS 1.2

Description of the TLS/SSL protocol describes how to setup a TLS 1.2 environment.

Configure TLS on BizTalk Server 2013 or 2010

For lower version like 2013 or 2010, this is not straight forward to use TLS 1.2. You have to do some tricky exercise to enable TLS 1.2. Please follow below steps to enable TLS 1.2.

Generally you have seen below types of error when trying to connect any external service which are already utilizing the security protocol TLS 1.2,

  • SSL Security error.
  • [DBNETLIB][ConnectionOpen (SECCreateCredentials()).]SSL Security error.
  • Could not create SSL/TLS secure channel.
  • The remote server returned an error: (403) Forbidden.
No need to worry about 🙂 We have solution now to enable TLS 1.2 on your BizTalk server.

Configure TLS on BizTalk Server 2010

Let’s start for BizTalk 2010 first, BizTalk server 2010 supports .NET Framework v4.0 and this version of Framework support only SSL v3.0 and TLS v1.0. However Framework v4.5, does support the use of TLS 1.1 and TLS 1.2. So now Framework 4.5 require to install on BizTalk machine to establish a connection between both systems, let’s do it

The installer of this version of the framework can, of course, be downloaded from the Microsoft-site:

https://www.microsoft.com/en-us/download/details.aspx?id=42642

That was 1st step, still TLS 1.2 is not yet configured. You have to enable it now with update the registry setting. Let’s see step by step, how we can do this,

Note: Before making any change in Registry, I would strongly recommended to take a backup of registry.

Create the below keys and matching DWORDs at highlighted place,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001

Now, set the .NET Framework 4.0 to use the latest version of the SecurityProtocol, by creating the DWORDs mentioned below, for both 32- and 64-bit hosts.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
“SchUseStrongCrypto”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
“SchUseStrongCrypto”=dword:00000001

Reboot the BizTalk server in order for the changes to come into effect.

All set to go now, test your connection for that you can use Wireshark to check the version of protocol.

Configure TLS on BizTalk Server 2013

BizTalk server 2013/R2 supports .NET Framework v4.5.x and this version of Framework support TLS v1.2 also. So here you need to configure registry only. Please follow above steps and you should ready to go. Test again with the same application.

Summary

We have configured TLS 1.2 in BizTalk Server 2010 and BizTalk Server 2013 server. With this we’ll get rid of TLS issue between BizTalk server and other applications which supports TLS 1.2.

See Also

3 thoughts on “Configure TLS 1.2 on BizTalk Server

  • Since I have set the Registry keys and dwords and rebooted my test Server all Service Instances are stuck in Status dehydrated. Any ideas?

    Reply
  • Thanks for read this blog and asking question here, Can you check in event log why these instances are stuck or dehydrating, I am not sure this is something because of TLS. But 1st check and let me know if needed any assistance.

    Reply
  • Hi Kamlesh,
    Thanks for writing the steps for enabling support for Tls 1.2. I am using BizTalk 2016 with FP2 installed. Do I need to make any other changes to the biztalk artifacts (port etc) or registry to make sure that 1.2 works.
    I have a web service which will soon stop support for tls 1.0. Wanted to know if I should implement any custom behaviours to enforce 1.2 or is it negotiated by default by BizTalk 2016 fp2.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *