TLS 1.2 is now fully supported in newer versions of BizTalk Server. This includes all the adapters and accelerators. This is part of the default installation of BizTalk Server 2020 and it was introduced in:
BizTalk Server 2010 and older versions don’t support this feature.
You can also disable SSL, TLS 1.0, and TLS 1.1 in BizTalk Server. But BizTalk Server came out-of-the-box and works very well with SSL (Secure Socket Layer) 3.0 or TLS (Transport Layer Security) 1.0, and these are the security protocol used. Newer versions of BizTalk Server allow us to use TLS 1.2, but that required extra manual configurations that we need to do in the environment.
To enable the TLS 1.2 protocol, create an Enabled entry in either the Client or Server subkey. This entry does not exist in the registry by default.
To make TLS 1.2 the default security protocol, you need to manually make some changes on the registry. You can do that by adding the below DWORD values in our registry:
On the[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] Create the following DWORD (32-bit) values Name: DisabledByDefault Value Data: 0
On the[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] Create the following DWORD (32-bit) values Name: DisabledByDefault Value Data: 0 Name: Enabled Value Data: 1
On the[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] Create the following DWORD (32-bit) values Name: SchUseStrongCrypto Value Data: 1
On the[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] Create the following DWORD (32-bit) value Name: SchUseStrongCrypto Value Data: 1
The HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\<VERSION>: SchUseStrongCrypto registry key has a value of type DWORD. A value of 1 causes your app to use strong cryptography. The strong cryptography uses more secure network protocols (TLS 1.2, TLS 1.1, and TLS 1.0) and blocks protocols that are not secure. A value of 0 disables strong cryptography.
To facilitate this process, I created a PowerShell script that adds or updates the above DWORD’s and keys in the registry.
See below, a PowerShell script that adds or updates the above DWORD’s and keys in the registry.
Note: you need to execute this script on all the BizTalk machines of the BizTalk group.
# Add or Update Client DWORD's New-ItemProperty -Path '.\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value '0' -PropertyType DWORD -Force | Out-Null New-ItemProperty -Path '.\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value '1' -PropertyType DWORD -Force | Out-Null # Add or Update Server DWORD's New-ItemProperty -Path '.\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value '0' -PropertyType DWORD -Force | Out-Null New-ItemProperty -Path '.\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value '1' -PropertyType DWORD -Force | Out-Null ####################################################################################################################### # set the .NET Framework 4.0 to use the latest version of the SecurityProtocol, by creating SchUseStrongCrypto DWORDs # # for both 32- and 64-bit hosts # ####################################################################################################################### New-ItemProperty -Path '.\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType DWORD -Force | Out-Null New-ItemProperty -Path '.\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType DWORD -Force | Out-Null
This script was tested in:
THIS POWERSHELL SCRIPT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND.
You can access and download the full PowerShell script from GitHub here: PowerShell to Configure TLS 1.2 as the default security protocol on BizTalk Server
