agradmin
asked on
TLS connection troubleshooting
Following migration we are having an issue connecting to a TLS1.2 server from a Dynamics Ax12 client on a Windows 10 PC. Up to migration the Dynamics Ax09 client worked fine, connecting from the SAME client to the SAME target.
I am seeing a lot of Schannel errors in the event log, but I am unsure if these are a red herring as they go back to before migration.
I have turned up Schannel logging and am seeing informational events similar to below in the logs. I have tested https connections from Edge browser to common sites and that works fine.
I need a solution to this FAST. Does anyone have any solid experience that might point us in the right direction?
--------------------------
The description for Event ID 36880 from source Schannel cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
client
TLS 1.2
49199
255
2408782208416
settings-win.data.microsof
C=US, S=WA, L=Redmond, O=Microsoft, OU=WSE, CN=settings-win.data.micro
The handle is invalid
I am seeing a lot of Schannel errors in the event log, but I am unsure if these are a red herring as they go back to before migration.
I have turned up Schannel logging and am seeing informational events similar to below in the logs. I have tested https connections from Edge browser to common sites and that works fine.
I need a solution to this FAST. Does anyone have any solid experience that might point us in the right direction?
--------------------------
The description for Event ID 36880 from source Schannel cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
client
TLS 1.2
49199
255
2408782208416
settings-win.data.microsof
C=US, S=WA, L=Redmond, O=Microsoft, OU=WSE, CN=settings-win.data.micro
The handle is invalid
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
On the client machine is TLS 1.2 enabled?
https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#configuring-security-via-the-windows-registry
Scroll down to TLS 1.2.
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
In other words we just need to confirm it's enabled on the client machine. Reboot if any changes are made.
https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#configuring-security-via-the-windows-registry
Scroll down to TLS 1.2.
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
In other words we just need to confirm it's enabled on the client machine. Reboot if any changes are made.
ASKER
Yeah, TLS1.2 is configured, and is working with the earlier version of software.
Ok. Then maybe you would like to change the logging events to Log Warnings only in the registry.
http://tritoneco.com/2014/12/17/windows-server-logs-flooded-with-schannel-events/
https://support.microsoft.com/en-us/help/260729/how-to-enable-schannel-event-logging-in-iis
http://tritoneco.com/2014/12/17/windows-server-logs-flooded-with-schannel-events/
https://support.microsoft.com/en-us/help/260729/how-to-enable-schannel-event-logging-in-iis
ASKER
Thanks for the help. It turns out that a step I thought had ben completed had only been used on a second test machine, which was never able to connect.
After setting for Strong Cryptography (for .Net4, 32 bit app on 64 bit machine) as following we were able to connect - assuming far end was set to block RC4;
[HKEY_LOCAL_MACHINE\SOFTWA
"SystemDefaultTlsVersions"
"SchUseStrongCrypto" = dword:00000001
Thanks to all that assisted in this solution
After setting for Strong Cryptography (for .Net4, 32 bit app on 64 bit machine) as following we were able to connect - assuming far end was set to block RC4;
[HKEY_LOCAL_MACHINE\SOFTWA
"SystemDefaultTlsVersions"
"SchUseStrongCrypto" = dword:00000001
Thanks to all that assisted in this solution
ASKER
One key point may be that the Dynamics Ax09 client (the one that was working) was using .Net2.0. As this appears to be the only change in the system (ie no change to machine/target/TLS/code etc) this may be relevant.
Are there settings in .Net that may be checked and might explain this?