none
BizTalk support for TLS 1.2

    Question

  • Dear MS Support Team,

    We would like to know if BizTalk supports TLS 1.2.

    Recently for a request from client we had to disable TLS 1.0 on an environment which had BizTalk 2013, SQL 2012 and Windows 2012. However, once we did so, we noticed that BizTalk can no longed connect to the BizTalk group and there was an error suggesting connection issues to SQL. Below is an extract of the exception logged in event log:

    Error message: [DBNETLIB][ConnectionOpen (SECCreateCredentials()).]SSL Security error.
     Error source:BizTalk host name: BizTalkServerApplication
     Windows service name: BTSSvc$BizTalkServerApplication

    Event ID :5410

    As per some of the blogs as long as the environment has framework 4.5 and above installed BizTalk should be able to communicate using TLS 1.2. The environment we are testing on has framework 4.5 installed but the connection still doesnt go through. Kindly help provide pointers as to how this issue can be tackled.

    Wednesday, August 23, 2017 2:52 AM

Answers

  • Hi Tord long time no see. I am currently on BizTalk 2013 R2 Standard. I need something to fix this issue by July. I think this is a real problem for the HTTP adapter in BizTalk 2013 R2. I have proposed we upgrade to BizTalk 2016 Enterprise but that is a hard ask. I feel there needs to be something for BizTalk 2013 R2 and BizTalk 2016 Standard users now. I think that the fix in BizTalk 2016 FP2 should have been in a CU and not in a FP.

    This has now been released for BizTalk 2013 through 2016 in CUs

    Cumulative Update 5 for BizTalk Server 2016

    Cumulative Update 8 for BizTalk Server 2013 R2

    Cumulative Update 7 for BizTalk Server 2013

    Wednesday, June 27, 2018 1:07 AM

All replies

  • Sorry, only TLS 1.2 or higher enabled is not supported atm

    Check this thread in the BizTalk general forum
    https://social.technet.microsoft.com/Forums/windows/en-US/46a6d3ac-3a05-4742-bfbf-71fcc435589a/does-biztalk-server-2013-support-tls12?forum=biztalkgeneral

    You can use TLS 1.2 on send/receive ports

    /Peter


    Wednesday, August 23, 2017 7:27 AM
  • Thanks Peter.
    Wednesday, August 23, 2017 8:29 AM
  • yes BizTalk supports TLS 1.2 . Hope you are using Bz2010. 

    Ram

    Wednesday, August 23, 2017 1:13 PM
  • For clarity, I'm 92% this is not a problem with BizTalk Server, the issue is somewhere in the SQL Client.

    BizTalk supports TLS 1.2 with WCF etc.

    Wednesday, August 23, 2017 3:16 PM
    Moderator
  • You can use TLS 1.2 in send/receive ports
    But yoiu can't disable the older TLS versions on the BizTalk server

    /Peter

    Wednesday, August 23, 2017 4:36 PM
  • Have a look at this https://www.codit.eu/blog/2016/04/21/biztalk-server-2010-and-support-for-tls-12/ 

    I think there is another article describes how to use a WCF behaviour on a send port to set TLS 1.2. http://geekswithblogs.net/gvdmaaden/archive/2010/10/04/tls-1.0-and-ssl3-woes-in-biztalk-wcf-send-port.aspx

    I have used WCF behaviour a couple of times to do this.

    Friday, August 25, 2017 9:12 PM
    • Proposed as answer by Colin Dijkgraaf Tuesday, September 26, 2017 2:11 AM
    Monday, August 28, 2017 7:42 AM
    Answerer
  • We tried on BizTalk 2013 Ram.
    Thursday, September 7, 2017 2:15 AM
  • Noted Peter, thanks for the update. Will try out your suggestion. 
    Thursday, September 7, 2017 2:16 AM
  • A WCF behaviour would help here:

    https://biztalkbox.wordpress.com/2016/08/09/salesforce-disabling-tls-1-0-how-to-get-it-working-for-api-calls-via-biztalk/



    Yes, I've used that to create a End Point Behavior with just that functionality as a standard component to be used.  Needed it for one project, and not there is another project just starting that will also need it.  

    Neither of them connecting to Salesforce (but I did have to have to do the OAuth & TLS behaviour earlier)


    Tuesday, September 26, 2017 2:11 AM
  • Hi All,

    This is official announcement TLS 1.2 supports now in BizTalk, please refer below statement and source detail; 

    TLS 1.2 support

    TLS 1.2 is fully supported in BizTalk Server, including all the adapters and all the accelerators. You can disable SSL, TLS 1.0, and TLS 1.1 on the BizTalk Server.

    Key information:

    • Any external systems communicating with BizTalk also need to support TLS 1.2
    • Any custom code, such as functoids, may need to be updated to support TLS 1.2

    Description of the TLS/SSL protocol describes how to setup a TLS 1.2 environment.

    Source: https://docs.microsoft.com/en-gb/biztalk/core/configure-the-feature-pack


    Thanks,
    Kamlesh Kumar

    If my reply is helpful please mark as Answer or vote as Helpful.

    My blog | Twitter | LinkedIn

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.


    Saturday, January 27, 2018 5:38 PM
    Moderator
  • BizTalk can communicate over TLS 1.2, but it doesn't by default. You can enable TLS 1.2 for .NET with a simple registry change:

    For inbound connections, IIS takes care of that, and should already be TLS 1.2.

    I think the admin tools struggle if you're using TLS on SQL and you disable TLS1.0.  The best you can do in that situation is make TLS1.2 the preferred option.


    If this is helpful or answers your question - please mark accordingly.
    Because I get points for it which gives my life purpose (also, it helps other people find answers quickly)

    Wednesday, February 7, 2018 9:57 PM
  • Hi Alastair,

    Did you have the same issue that I had with the  BizTalk Administration console?

    TLS1.0 is not disabled on SQL.

    Wednesday, February 7, 2018 10:30 PM
  • I can't remember now, I think so.  But that might have been changing the settings on the SQL server itself.  This is only applicable if you connect to SQL with TLS.

    I found the approach in the link in my previous post was the best balance as it shifted everything to TLS 1.2 that supported it, but retained support for TLS 1.0 if the remote system only supports that.

    Absolutely enable TLS1.2 for .NET 4 in your registry (both 64-bit and 32-bit).  Then play with different configurations using this tool:

    You will have to reboot each time you make a change, so not for production.  You're only interested in the first column.  Find the right balance for your setup.


    If this is helpful or answers your question - please mark accordingly.
    Because I get points for it which gives my life purpose (also, it helps other people find answers quickly)

    Sunday, February 11, 2018 9:49 PM
  • BizTalk Server 2016 FP2 added support for TLS 1.2 read more here: https://docs.microsoft.com/en-us/biztalk/core/configure-the-feature-pack

    // Tord

    Monday, February 12, 2018 8:26 AM
  • Hi Tord long time no see. I am currently on BizTalk 2013 R2 Standard. I need something to fix this issue by July. I think this is a real problem for the HTTP adapter in BizTalk 2013 R2. I have proposed we upgrade to BizTalk 2016 Enterprise but that is a hard ask. I feel there needs to be something for BizTalk 2013 R2 and BizTalk 2016 Standard users now. I think that the fix in BizTalk 2016 FP2 should have been in a CU and not in a FP.
    Monday, February 12, 2018 9:08 AM
  • Thanks Grant. I am going to change the settings on the SQL server tomorrow to see if this fixes our issue. It must work in BizTalk 2013 R2 if you and other have done this.
    Monday, February 12, 2018 9:15 AM
  • I seem to recall some actual issues relating to the source (and .NET engine) of the product limiting TLS 1.2 in earlier editions of BizTalk.

    I'd say there is so many great wins with the upgrade that I would consider it, or wait for vNext coming next year.. :)

    Take care buddy!

    Monday, February 12, 2018 11:26 AM
  • There is a good article (non BizTalk specific) TLS 1.2 and .NET Support: How to Avoid Connection Errors that lists the various version of .Net and what the support, including some hotfixes for earlier versions of Windows to get it to support it.

    In combination of either a WCF EndPoint Behaviour on the port to set the SecurityProtocal or possibly the Registry settings in the link supplied by Alastair Grant, you can it working with earlier versions of BizTalk.  We have done it with BizTalk 2013 R2 communicating with TLS 1.1 on some ports and TLS 1.2 on others using the WCF EndPoint Behaviour..

    Tuesday, February 13, 2018 1:23 AM
  • Hi Colin,

    Did you get  the BizTalk 2013 R2 Console error?

    We have .net 4.7.

    Got me beat.

    Tuesday, February 13, 2018 7:52 AM
  • Hi Colin and Grant,

    Are you on Enterprise or Standard? I am on Standard.

    Tuesday, February 13, 2018 7:56 AM
  • Hi Colin and Grant,

    Did you get  the BizTalk 2013 R2 Console error?

    Are you on Enterprise or Standard? I am on Standard.

    Hi Mark

    No, as I didn't go the Registry entry route, rather we are using a Custom WCF Endpoint Behaviour on the send ports that need it.    Initially we needed it for Salesforce, so I used what was described in this blog Salesforce disabling TLS 1.0 – How to get it working for API calls via BizTalk to alter the Salesforce oAuth behaviour (linked in that blog) to include this.    Later on I created a cut down version of the Salesforce Behaviour that just contained the TLS behaviour so it was re-usable for other end points.

    BizTalk 2013 R2 Enterprise.


    Tuesday, February 13, 2018 7:57 PM
  • Hi Colin,

    That is good to know. In my hands the registry route causes the BizTalk administration console to barf. I am betting you might have the same issue if you tried.

    I too wrote a behaviour from my memory but unfortunately the AS2 encoder pipeline component does not play well with WCF-WebHTTP adapters. That is why I am trying to go this route because I think this is the only option with a HTTP adapter.

    Good to know you have not used the registry entry yet.

    Tuesday, February 13, 2018 8:23 PM
  • Hi Mark,

    I think the HTTP adapter can be mapped with the WCF-Custom adapter. And then it also gets the option to select endpoint behaviours where the TLS set can be done.


    Pi_xel_xar

    Blog: My Blog

    BizTalkApplicationDeploymentTool: BizTalk Application Deployment Tool/

    Wednesday, February 14, 2018 6:56 AM
    Answerer
  • I think it is not an issue to use the endpoint behaviour with any WCF adapter including the WCF-custom adapter.

    The main issue is that in my hands I cannot use the a WCF adapter with a AS2 encoder pipeline component.

    That means that this approach is not available to you if you want to send use the AS2 to send over HTTPS with TLS1++. I think your only option is to force the OS to  use TLS 1.2 first and then try others after that.

    Wednesday, February 14, 2018 7:59 AM
  • Further this I have managed to send to a AS2 endpoint over HTTPS that uses TLS 1.1 only. I had tried all the registry tweaks that Grant above had suggested on BizTalk server and SQL server. All of these caused the BizTalk Administration console to error. Thus we rolled all the registry setting back to allow TLS 1.0. The administration console now works. Magically BizTalk now tries TLS 1.2 first and then reverts to TLS 1.1  etc when that is not available. I am at a loss to understand what has caused us to achieve the desired result. My advice to anyone else is try and then reboot everything until this stuff works.
    Wednesday, February 14, 2018 8:07 AM
  • You absolutely must reboot.  To reiterate, you need to:

    1. Enable TLS 1.2 support in .NET (registry tweak)
    2. Enable TLS 1.2 support in schannel (registry tweak)
    3. Reboot your server

    I have this setup running on an app server for schannel:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
    "DisabledByDefault"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
    "Enabled"=dword:00000001
    "DisabledByDefault"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
    "Enabled"=dword:00000001
    "DisabledByDefault"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    "Enabled"=dword:00000001
    "DisabledByDefault"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
    "Enabled"=dword:00000001
    "DisabledByDefault"=dword:00000000
    
    

    In this case, I haven't made any changes to the settings running on the SQL server.  There is a TLS connection between BizTalk and SQL.  The admin console works fine.

    Any connection out of BizTalk (e.g the HTTP adapter), will default to TLS 1.2 and then downgrade to earlier versions of TLS, but not SSL.


    If this is helpful or answers your question - please mark accordingly.
    Because I get points for it which gives my life purpose (also, it helps other people find answers quickly)

    • Proposed as answer by Alastair Grant Saturday, March 24, 2018 6:53 PM
    Wednesday, February 14, 2018 9:36 AM
  •  TLS 1.2 Error: The requested security protocol is not supported.

    Solution: TLS 1.2 support enabled after installing .Net framework 4.5.


    Friday, March 23, 2018 8:00 PM
  • Hi all,

    Please install CU8, This update includes the following KB article 4091110 - Update adds support for TLS 1.2 protocol in BizTalk Server

    Cumulative Update package 8 for BizTalk Server 2013 R2


    Thanks,
    Kamlesh Kumar

    If my reply is helpful please mark as Answer or vote as Helpful.

    My blog | Twitter | LinkedIn

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.


    Monday, March 26, 2018 7:33 PM
    Moderator
  • Hi,

    We have BT 2016 with FP 2 installed. Do we need to explicitly change\ configure any settings for TLS 1.2 support for some of the endpoints which we connect to or is it supported by default

    Regards


    -Ujjwal

    Monday, June 18, 2018 12:19 PM
  • Hi Tord long time no see. I am currently on BizTalk 2013 R2 Standard. I need something to fix this issue by July. I think this is a real problem for the HTTP adapter in BizTalk 2013 R2. I have proposed we upgrade to BizTalk 2016 Enterprise but that is a hard ask. I feel there needs to be something for BizTalk 2013 R2 and BizTalk 2016 Standard users now. I think that the fix in BizTalk 2016 FP2 should have been in a CU and not in a FP.

    This has now been released for BizTalk 2013 through 2016 in CUs

    Cumulative Update 5 for BizTalk Server 2016

    Cumulative Update 8 for BizTalk Server 2013 R2

    Cumulative Update 7 for BizTalk Server 2013

    Wednesday, June 27, 2018 1:07 AM