locked
Is disabling TLS 1.0 and 1.1 supported on BizTalk 2016 CU3 without Feature Pack 2? RRS feed

  • Question

  • The subject line pretty much covers it.

    I have installed BizTalk 2016 and installed CU3. I did not install FP2. Technically, the oft-cited, "TLS 1.2 is fully supported in BizTalk Server, including all the adapters and all the accelerators. You can disable SSL, TLS 1.0, and TLS 1.1 on the BizTalk Server." is from "Configure the Feature Pack" for Feature Pack 2 - https://docs.microsoft.com/en-us/biztalk/core/configure-the-feature-pack 

    When I attempted to disabled TLS 1.0 and 1.1, BizTalk complained about SSO: "The Messaging engine could not contact the SSO server to retrieve the endpoint configuration." When I re-enabled TLS 1.0 and 1.1, everything worked fine. Maybe I did it wrong, but before I bang my head against the wall too many more times, I wanted to check whether this is only available in the Feature Pack or is available in CU3 (released after FP2). According to the KB 4091110, disabling TLS 1.0 and 1.1 under BizTalk 2013/R2 is supported with just the CU (CU7 for 2013, CU8 for 2013R2, to be precise). https://support.microsoft.com/en-us/help/4091110/support-for-tls-1-2-protocol-in-biztalk-server One could be forgiven for assuming that the 2016 CU would be all that was needed.


    Sincerely,

    Randy S. Ridgely [MSFT]
    Microsoft Online Community Support

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    This posting is provided “AS IS” with no warranties, and confers no rights. You assume all risk for your use. © 2011 Microsoft Corporation. All rights reserved.

    Monday, May 14, 2018 7:09 PM

Answers

  • In short, no.   

    You need to install Feature Pack 2 for BizTalk 2016 for it to use TLS 1.2 only.

    There is no mention of the TLS fix in CU 4 for BizTalk 2016 (which was the one that was released after FP2).

    • Marked as answer by Randy Ridgely Saturday, May 19, 2018 4:01 AM
    Tuesday, May 15, 2018 1:33 AM

All replies

  • In short, no.   

    You need to install Feature Pack 2 for BizTalk 2016 for it to use TLS 1.2 only.

    There is no mention of the TLS fix in CU 4 for BizTalk 2016 (which was the one that was released after FP2).

    • Marked as answer by Randy Ridgely Saturday, May 19, 2018 4:01 AM
    Tuesday, May 15, 2018 1:33 AM
  • Feature Packs are for Biztalk Enterprise (or Developer) only
    What solutions do we have for BizTalk 2016 Standard if fix is not present in CU 4?

    /Peter

    Tuesday, May 15, 2018 1:52 PM
  • Hi Randy

    It is no where mentioned the CU3 update is having the Feature Pack 2 fixes. 

    Also I could see the Feature Pack 2 is released with the CU3 update. So I would suggest you to use Feature Pack 2 with CU3 update

    From the MSDN Blog

     
    Tuesday, May 15, 2018 2:49 PM
  • It has been included in last normal CUs for BizTalk 2013 and BizTalk 2013 R2 recently released so most likely it will also be in next CU5. Remember this new TLS 1.2 support is only for internal BizTalk<->SQL communication. Most customers need TLS 1.2 for BizTalk <-> web endpoint integrations, and this is possible already since .NET 4.5.* or later, which is supported by BizTalk 2010.

    The SchUseStrongCrypto registry key may help here for those web integrations. This will make TLS 1.2 default so removing TLS 1.0 for web integrations. 

    -------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

       "SchUseStrongCrypto"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]

       "SchUseStrongCrypto"=dword:00000001

    ------

    You can also write custom behaviour to control which TLS version to use, e g I would use SchUseStrongCrypto registry to have default TLS 1.2 and then I would use a dedicated TLS1.0 host with TLS 1.0 custom behaviour if there is still a need for this old version. (hopefully most web servers have moved to TLS 1.2 by now). The ServicePoint behaviour is global for the process so that is why I recommend a dedicated host for this. 

    ------

    System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12 | System.Net.SecurityProtocolType.Tls11 | System.Net.SecurityProtocolType.Tls | System.Net.SecurityProtocolType.Ssl3;


    Thursday, May 17, 2018 5:13 PM
  • Thanks, Anand. I probably wrote it wrong, but I meant to say that FP2 contains the CU, not the other way around.

    Sincerely,

    Randy S. Ridgely [MSFT]
    Microsoft Online Community Support

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    This posting is provided “AS IS” with no warranties, and confers no rights. You assume all risk for your use. © 2011 Microsoft Corporation. All rights reserved.

    Saturday, May 19, 2018 4:03 AM
  • Hi Niklas! Yes, we've done exactly that for our external partners, but our security team wants to enforce disabling of all TLS 1.0 and 1.1 throughout the organization.

    Sincerely,

    Randy S. Ridgely [MSFT]
    Microsoft Online Community Support

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    This posting is provided “AS IS” with no warranties, and confers no rights. You assume all risk for your use. © 2011 Microsoft Corporation. All rights reserved.


    Saturday, May 19, 2018 4:08 AM