none
MDT support with TLS 1.2 RRS feed

  • Question

  • Our security team is mandating all clients and servers have TLS 1.0 and 1.1 be disabled and only utilize TLS 1.2.

    I have an MDT 2013 Update 1 implementation that is also pointing to a SQL database on a separate server. I use this for Make and Model usage during builds. When I disabled TLS 1.0 and 1.1 on the SQL server I am no longer able to connect to the Make and Model section in MDT, and when I re-enabled them I was then able to see it once again so it appears MDT is not working with TLS 1.2.

    Does anybody have an idea on how I can get MDT to work properly with TLS 1.2 only?

    Friday, October 20, 2017 3:29 AM

All replies

  • Is this a connection issue or an authorization issue? How are you authenticating against the database? Could you post a snippet from your BDD.log related to DB connection?

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Friday, October 20, 2017 6:13 PM
  • This is a connection issue. My account has been granted access to the MDT database on the SQL side, and when I am logged onto my MDT server and launch the Deployment Workbench I am able to see the Make and Model section that I created. With TLS 1.2 enabled only this data does not appear and when I enable 1.0 and 1.1 it does so it definitely is a TLS connectivity issue. This isn't with regard to a build so the BDD.log really isn't applicable. 
    Saturday, October 21, 2017 5:52 AM
  • This issue is not MDT specific. Back in 2016, Microsoft announced that TLS 1.2 would now be supported in specific builds of SQL Server 2008, 2008 R2, 2012, and 2014. If I were in your shoes, I would start by talking to the database team and find out which version of SQL Server they are running and if they applied the update which adds TLS 1.2 support: https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server

    Additional information: https://blogs.sentryone.com/aaronbertrand/tls-1-2-support-read-first/


    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Sunday, October 22, 2017 11:50 AM
  • Our SQL DBA updated the SQL version to the latest update and verified it does support TLS 1.2. There are other DB's running on that server where I disabled TLS 1.0 and 1.1 on the corresponding application server and they worked so I know TLS 1.2 is working on the SQL server. 
    Monday, October 23, 2017 3:33 AM
  • Does anybody have any ideas/suggestions for me? Are there others who are using MDT DB's on another SQL server and running TLS 1.2 only?
    Wednesday, October 25, 2017 5:55 PM
  • Aside from playing around with SQL / Windows authentication (since MDT supports both scenarios) I am out of ideas as I haven't seen any issues resembling yours in the wild.

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Thursday, October 26, 2017 6:55 AM