How to configure TLS 1.2 as the default security protocol on BizTalk Server with PowerShell

|  Posted: February 12, 2021  |  Categories: BizTalk Server BizTalk Server 2020

TLS 1.2 is now fully supported in newer versions of BizTalk Server. This includes all the adapters and accelerators. This is part of the default installation of BizTalk Server 2020 and it was introduced in: BizTalk Server 2016 as a part of Feature Pack 2 and available also with Cumulative Update 5 BizTalk Server 2013 … Continue reading How to configure TLS 1.2 as the default security protocol on BizTalk Server with PowerShell

TLS 1.2 is now fully supported in newer versions of BizTalk Server. This includes all the adapters and accelerators. This is part of the default installation of BizTalk Server 2020 and it was introduced in:

  • BizTalk Server 2016 as a part of Feature Pack 2 and available also with Cumulative Update 5
  • BizTalk Server 2013 R2 as a part of Cumulative Update 8
  • BizTalk Server 2013 as a part of Cumulative Update 7

BizTalk Server 2010 and older versions don’t support this feature.

You can also disable SSL, TLS 1.0, and TLS 1.1 in BizTalk Server. But BizTalk Server came out-of-the-box and works very well with SSL (Secure Socket Layer) 3.0 or TLS (Transport Layer Security) 1.0, and these are the security protocol used. Newer versions of BizTalk Server allow us to use TLS 1.2, but that required extra manual configurations that we need to do in the environment.

To enable the TLS 1.2 protocol, create an Enabled entry in either the Client or Server subkey. This entry does not exist in the registry by default. For that, you need to manually make some changes on the registry to set TLS 1.2 as the default security protocol. You can do that by adding the below DWORD values in our registry:

On the[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
Create the following DWORD (32-bit) values
Name: DisabledByDefault
Value Data: 0
On the[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
Create the following DWORD (32-bit) values
Name: DisabledByDefault
Value Data: 0
Name: Enabled
Value Data: 1
On the[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
Create the following DWORD (32-bit) values
Name: SchUseStrongCrypto
Value Data: 1
On the[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
Create the following DWORD (32-bit) value
Name: SchUseStrongCrypto
Value Data: 1

The HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\<VERSION>: SchUseStrongCrypto registry key has a value of type DWORD. A value of 1 causes your app to use strong cryptography. The strong cryptography uses more secure network protocols (TLS 1.2, TLS 1.1, and TLS 1.0) and blocks protocols that are not secure. A value of 0 disables strong cryptography.

To facilitate this process, I created a PowerShell script that adds or updates the above DWORD’s and keys in the registry.

PowerShell script overview

See below, a PowerShell script that adds or updates the above DWORD’s and keys in the registry.

Note: you need to execute this script on all the BizTalk machines of the BizTalk group.

# Add or Update Client DWORD's
New-ItemProperty -Path '.\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value '0' -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path '.\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value '1' -PropertyType DWORD -Force | Out-Null

# Add or Update Server DWORD's
New-ItemProperty -Path '.\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value '0' -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path '.\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value '1' -PropertyType DWORD -Force | Out-Null

#######################################################################################################################
# set the .NET Framework 4.0 to use the latest version of the SecurityProtocol, by creating SchUseStrongCrypto DWORDs #
# for both 32- and 64-bit hosts                                                                                       #
#######################################################################################################################
New-ItemProperty -Path '.\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path '.\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType DWORD -Force | Out-Null

This script was tested in:

  • BizTalk Server 2020
  • BizTalk Server 2016

THIS POWERSHELL SCRIPT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND.

Download

You can access and download the full PowerShell script from GitHub here: PowerShell to Configure TLS 1.2 as the default security protocol on BizTalk Server

Author: sandro

Sandro Pereira lives in Portugal and works as a consultant at DevScope. In the past years, he has been working on implementing Integration scenarios both on-premises and cloud for various clients, each with different scenarios from a technical point of view, size, and criticality, using Microsoft Azure, Microsoft BizTalk Server and different technologies like AS2, EDI, RosettaNet, SAP, TIBCO etc. He is a regular blogger, international speaker, and technical reviewer of several BizTalk books all focused on Integration. He is also the author of the book “BizTalk Mapping Patterns & Best Practices”. He has been awarded MVP since 2011 for his contributions to the integration community.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top