Documentation Index

Fetch the complete documentation index at: https://mfa.rapididentity.com/llms.txt

Use this file to discover all available pages before exploring further.

TLS 1.2 and UseStrongCrypto

  • Updated on May 21, 2026
  • Published on Oct 13, 2023
  • 2 minute(s) read
  • Austin Rominger
 Prev Next

Versions of .NET 4.5 and older have TLS configurations independent of system-level TLS settings. Administrators will often secure servers and workstations by disabling the older TLS 1.0 protocol. If the lower protocols have been disabled on one end but not the other (client or server), a client to server sync will fail because a secure connection on the same protocol cannot be established between the two.

The following are instructions – in the necessary order – for enabling and enforcing TLS 1.2 and UseStrongCrypto, and disabling TLS 1.0 and 1.1 on your MFA server.

⚠️ Backups

Before continuing, please take a backup of your server with a snapshot or a backup of the server's registry and MFA Server Key.

ℹ️ About UseStrongCrypto from Microsoft's Knowledge Base

The HKLM\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\VERSION\SchUseStrongCrypto registry key has a value of type DWORD. A value of 1 causes your app to use strong cryptography. The strong cryptography uses more secure network protocols (TLS 1.2 and TLS 1.1) and blocks protocols that aren't secure. A value of 0 disables strong cryptography. For more information, see documentation about the SCH_USE_STRONG_CRYPTO flag. This registry setting affects only outgoing client connections in your application.

If your app targets .NET Framework 4.6 or later versions, this key defaults to a value of 1. That's a secure default that we recommend. If your app targets .NET Framework 4.5.2 or earlier versions, the key defaults to 0. In that case, you should explicitly set its value to 1.

This key should only have a value of 0 if you need to connect to legacy services that don't support strong cryptography and can't be upgraded.

To read more, visit Microsoft's TLS KB article.

Download

TLS12_UseStrongCrypto.reg
The TLS1.2_UseStrongCrypto.reg file makes the following changes:

  • Disables IPv6
  • Disables SSLv2
  • Disables SSLv3
  • Disables TLS 1.0
  • Disables TLS 1.1
  • Enables TLS 1.2

Note: If your environment requires the lower protocols to stay enabled for any reason (eg. other 3rd party apps on your end computers that use the older protocols), edit the downloaded file and adjust the flags as necessary or remove the registry keys that disable the lower protocols entirely.

Updating the MFA Server

The MFA SQL database requires an additional record be added for TLS 1.2 into the Settings table. This tells the MFA server software it is using TLS 1.2.

Update SQL Database Settings Table

  1. Log in to your SQL database with your SQL management software.
  2. Use the following INSERT query to add the necessary values into the dbo.Settings table.
    USE [your database name]
INSERT INTO Settings
VALUES ('UseTLS12','True',1);
    • Note: This record can also be added manually by using the "Edit Top 200 Rows" option. The single quotes (') are not necessary when manually entering values in Edit Top 200 Rows.

Update MFA Server Registry Settings

  1. Create a backup of your server's registry settings or take a snapshot of the server.
  2. Merge the TLS1.2_UseStrongCrypto.reg file.
  3. Restart the server.

Updating the MFA Clients

End computers running the MFA Client will subsequently need their protocols to match. For updating your clients to TLS 1.2 as well, run the same TLS1.2_UseStrongCrypto.reg file on your client computers and perform a restart afterwards.

Note: If your clients have other 3rd party apps installed that use the older protocols, edit the registry file and adjust the flags as necessary or remove the registry keys that disable the lower protocols entirely.