none
Does BizTalk Server 2013 support TLS1.2? RRS feed

  • Question

  • Hello Guys,

    We have enabled TLS1.2 on the BizTalk servers by disabling SSL2.0 and enabling strong cipher. But I need to know if TLS1.2 is a supported  security protocol for BizTalk Server 2013?

    Thanks in Advance.

    Regards,

    Himanshu.

    Thursday, June 9, 2016 8:31 AM

Answers

All replies

  • Hi Himanshu

    Yes it is.

    NET Framework 4.5 and above supports TLS 1.2 and since BizTalk 2013 supports .NET Framework 4.5.x, you should be able to make it work. TLS 1.2 support/lack of support comes from the platform or the .NET framework. Note below post where author got this to work for BizTalk 2010-

    http://www.codit.eu/blog/2016/04/21/biztalk-server-2010-and-support-for-tls-12/

    Also refer this post where the blogger debugged failing TLS1.2 comm over BizTalk 2013-

    http://www.synegrate.com/#!BizTalk-Server-Troubleshooting-SSLTLS-Handshake-failures/c1dlv/56afbf3b0cf2fb0f6fe7e5a1

    Also refer this thread where Colin managed to get TLS 1.2 to work on BizTalk 2010-

    https://social.technet.microsoft.com/Forums/security/en-US/08cd1188-4de4-4de0-9cc0-f951c61db9f6/could-not-establish-secure-channel-for-ssltls-with-authority-tls1testsalesforcecom?forum=biztalkgeneral


    Thanks Arindam



    Thursday, June 9, 2016 8:34 AM
    Moderator
  • Hi All,

    I had the same issue with BizTalk 2013. I could not get it working out of the box like you have suggest, which I also believed to be correct. If I made the registry changes for SchUseStrongCrypto as per the 2010 article then I could see from Wireshark that it was using TLS 1.2.

    So I would say the article equally applies to 2013 as 2010.

    I couldn't following the second link as it can't be resolved.

    I hope these comments help others.

    Dave

    Wednesday, June 14, 2017 10:39 AM
  • Hi,

    I would like to update here that as of now we don't support TLS 1.2 with any BizTalk version along with latest BizTalk version 2016. we are checking on this request and hope to have support for TLS 1.2 in next BizTalk release.

    Thank you,

    Raj

    Friday, July 7, 2017 10:43 PM
  • Hi Raj,

    Thanks for returning my call today for my Case #.

    Do you know if BizTalk Supports TLS 1.1 as our DBA is asking .

    Thanks,

    Brian

    Thursday, August 3, 2017 9:13 PM
  • Hi Raj,

    We are currently using BizTalk Server 2013 R2 Enterprise Edition and we have the request to send AS2 messages over TLS 1.2. It seems currently the Http send adapter defaults to TLS 1.0. Can you let me know what can be done or what is Microsoft timeline on adding TLS 1.2 support for the Http Adapter that is what we use for AS2?

    Thank you

    Daryl

    Thursday, September 14, 2017 8:14 PM
  • Hello,

     

    Sorry for confusion of BizTalk setup/config and web-based adapters.

     

    BizTalk core engine needs TLS 1.0 to operate the host so you cannot disable TLS in registry. However you can have both TLS 1.0 and TLS 1.2 enabled and let .NET/WCF-based adapters prefer to use TLS 1.2 with SchUseStrongCrypto=1 registry key. 

     

    Some web servers may try to negotiate, while others fail on first attempt. In case you have different TLS settings in different WCF http end points, you can use WCF custom behaviour to set. You should then keep all TLS 1.0 in one host and all TLS 1.2 integration end points in another host using.  
    1. Make sure to keep both TLS 1.0 and TLS 1.2 enabled
    2. Don’t set SchUseStrongCrypto registry key.
    3. The default behavior at this point will TLS 1.0 (with fallback to SSL3) so for any WCF send port that needs TLS 1.2, set the System.Net.ServicePointManager.SecurityProtocol property using a custom endpoint behavior within a WCF-Custom send port. 

     

    If you want to allow fallback logic, you can OR it as follows:
    System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12 | System.Net.SecurityProtocolType.Tls11 | System.Net.SecurityProtocolType.Tls | System.Net.SecurityProtocolType.Ssl3;

    It is probably best to have one custom behavior for TLS 1.0 and one for TLS 1.2 so you are explicit and know what you use and it fails when something changes. Make sure to not mix the different WCF behaviors in the same host as ServicePointManager is a global process setting. 

     

    Another alternative if you have many BizTalk servers could be to use 2 servers for TLS 1.0 ports and 2 servers for TLS 1.2 ports.

    Thank you,

    Raj


    Tuesday, September 26, 2017 6:18 PM
  • When will BizTalk core (Biztalk to Biztalk management db) be updated to support TLS1.2 exclusively?
    Thursday, September 28, 2017 10:47 PM
  • Hi All,

    This is official announcement TLS 1.2 supports now in BizTalk, please refer below statement and source detail; 

    TLS 1.2 support

    TLS 1.2 is fully supported in BizTalk Server, including all the adapters and all the accelerators. You can disable SSL, TLS 1.0, and TLS 1.1 on the BizTalk Server.

    Key information:

    • Any external systems communicating with BizTalk also need to support TLS 1.2
    • Any custom code, such as functoids, may need to be updated to support TLS 1.2

    Description of the TLS/SSL protocol describes how to setup a TLS 1.2 environment.

    Source: https://docs.microsoft.com/en-gb/biztalk/core/configure-the-feature-pack


    Thanks,
    Kamlesh Kumar

    If my reply is helpful please mark as Answer or vote as Helpful.

    My blog | Twitter | LinkedIn

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.


    Saturday, January 27, 2018 5:38 PM
    Moderator