none
DirectAccess stops working after disabling TLS 1.0 RRS feed

  • Question

  • Dear Experts,

    We have DirectAccess 2012R2 with Windows 7 and 10 clients on 2 node WNLB, 2 NICS configuration. As per the InfoSec guidelines we were asked to disable TLS 1.0 on both the DA servers. We disabled TLS 1.0 through Registry; however after rebooting the DA servers DA stopped working. (We reverted the change and everything started working as normal)

    DA is negotiating on TLS 1.0
    Request you to please help us in making DA negotiate with TLS1.2 as we need to disable TLS 1.0 and 1.1 (SSL 3.0 is already disabled)

    Many thanks... 



    DevT-MCT

    Thursday, September 20, 2018 5:01 AM

All replies

  • Hi,

    Thanks for your question.

    That shouldn't impact RDP.  Please refer to the link below to correctly disable TLS 1.0:

    https://blogs.msdn.microsoft.com/friis/2016/07/25/disabling-tls-1-0-on-your-windows-2008-r2-server-just-because-you-still-have-one/  

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, September 21, 2018 6:04 AM
    Moderator
  • Hi Travis,

    We have Disabled TLS 1.0 following the same link...

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
    "Enabled"=dword:00000000

    RDP was working; however DirectAccess stopped working...



    DevT-MCT

    Friday, September 21, 2018 6:50 AM
  • Hi,

    You can try to enable the use of FIPS compliant encryption algorithms on the DirectAccess server. 

    Please refer to the link below:

    https://directaccess.richardhicks.com/2017/06/26/directaccess-reporting-fails-and-schannel-event-id-36871-after-disabling-tls-1-0/  

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, September 21, 2018 6:59 AM
    Moderator
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, September 27, 2018 9:59 AM
    Moderator
  • Unfortunately issue not yet resolved...


    CURRENT SITUATION:
    We have DirectAccess 2012R2 with Windows 7 and 10 clients on 2 node WNLB, 2 NICS configuration. As per the InfoSec guidelines we were asked to disable TLS 1.0 on both the DA servers. We disabled TLS 1.0 through Registry; however after rebooting the DA servers DA stopped working. (We reverted the change and everything started working as normal)

    DA is negotiating on TLS 1.0
    Request you to please help us in making DA negotiate with TLS1.2 as we need to disable TLS 1.0 and 1.1 (SSL 3.0 is already disabled)



    DevT-MCT

    Monday, October 1, 2018 7:16 AM
  • Never came across this, but see: https://directaccess.richardhicks.com/tag/hardening/

    Not sure, but could it be that W2016 is required for this?

    Another thing - is your W2012 servers really fully patched? If you then restart them, what DA component will not start? How the DA component monitor will look like? And are you using only IP-https or something else? 


    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Wednesday, October 3, 2018 6:02 PM