Enforcing UseStrongCrypto & TLS 1.2
  • 19 Oct 2023
  • 2 Minutes to read
  • Contributors
  • Dark
    Light

Enforcing UseStrongCrypto & TLS 1.2

  • Dark
    Light

Article summary

Versions of .NET 4.5 and older have TLS configurations independent of system-level TLS settings. Administrators will often secure servers and workstations by disabling the older TLS 1.0 protocol. If the lower protocols have been disabled on either or of the clients or server, a client to server sync will fail because a secure connection on the same protocol cannot be established between the two.

The following are instructions, in the necessary order, for enabling and enforcing TLS 1.2 and UseStrongCrypto, and disabling TLS 1.0 and 1.1 on your MFA server.

Backups

Before continuing, please take a backup of your server with a snapshot, or a backup of the server's registry and MFA Server Key.

About UseStrongCrypto (from Microsoft's knowledge base)

The HKLM\SOFTWARE[Wow6432Node]Microsoft.NETFramework<VERSION>: SchUseStrongCrypto registry key has a value of type DWORD. A value of 1 causes your app to use strong cryptography. The strong cryptography uses more secure network protocols (TLS 1.2 and TLS 1.1) and blocks protocols that aren't secure. A value of 0 disables strong cryptography. For more information, see documentation about the SCH_USE_STRONG_CRYPTO flag. This registry setting affects only outgoing client connections in your application.

If your app targets .NET Framework 4.6 or later versions, this key defaults to a value of 1. That's a secure default that we recommend. If your app targets .NET Framework 4.5.2 or earlier versions, the key defaults to 0. In that case, you should explicitly set its value to 1.

This key should only have a value of 0 if you need to connect to legacy services that don't support strong cryptography and can't be upgraded.

To read more, visit Microsoft's TLS KB article.


1. Changes To The Clients

Run the useStrongCrypto.reg on all of your MFA clients. This sets the 'SchUseStrongCrypto' registry keys for the 64-bit and 32-bit versions of Windows for all versions of .NET 4.5 and below.

UseStrongCrypto Download

2. Changes To The MFA Database

Update the dbo.Settings table in the database by adding the "UseTLS12" key to the table.

--if your db name is different than 'ONE', be sure to update this query before running
USE [ONE]
INSERT INTO Settings
VALUES ('UseTLS12','True',1);

3. Changes To The MFA Server

TLS1.2 + UseStrongCrypto Download

TLS1.2+UseStrongCrypto makes the following changes:

  • Disables IPv6
  • Disables SSLv2
  • Disables SSLv3
  • Disables TLS 1.0
  • Disables TLS 1.1

If your environment requires the lower protocols to stay intact for any reason, edit the downloaded file and adjust the flags as necessary, or remove the registry keys that disable the lower protocols entirely.

*A restart of the application server will be required for the changes to fully take effect.


Was this article helpful?