Support for TLS v1.2 – BizTalk Server 2013 R2

In our recent scenario we were trying to connect to a REST API from our BizTalk send port using using client certificates. We got the below error message.

When we traced the request using Wireshark tool we noticed that
the TLS version we were using was TLS v1 and the service expects the security protocol to be TLS v1.2


System.ServiceModel.CommunicationException: An error occurred while making the HTTP request to “https”. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server. —> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. —> System.IO.IOException: Authentication failed because the remote party has closed the transport stream.


There are couple of ways where you can allow BizTalk to use TLS v1.2 as a security protocol

  • Making changes to registry to use default security protocol as TLS1.2 (regedit)
  • Creating a Custom behaviour

Let’s look at both these methods one by one !

  1. CHANGE IN REGISTRY

Note: This will be your Default security protocol TLS 1.2. All the existing service using the previous version might be affected. So, this might not be a good solution.

Add the below DWORD values in your registry.


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

  • DWORD (32-bit) value
    • DisabledByDefault ( Value Data : 0)
    • Enabled (Value Data : 1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

  • DWORD (32-bit) value
    • DisabledByDefault ( Value Data : 0)
    • Enabled (Value Data : 1)

Setting .Net Framework 4.0 to use the latest security protocol TLS 1.2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

  • DWORD (32-bit) value
    • SchUseStrongCrypto ( Value Data : 1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]

  • DWORD (32-bit) value
    • SchUseStrongCrypto ( Value Data : 1)

2. CREATE CUSTOM BEHAVIOUR
This can be a nice way as you can use different security protocols based on your need. You may get couple of article on how to create a BizTalk custom behaviour.
In this case we try to set the Security protocol to use TLS1.2 using a custom behaviour which will be applied to the BizTalk send port.

It’s a one-liner code which needs to be added in your custom behaviour to use Security Protocol as TLS1.2

TLS1.2.JPG

Once the Custom Behaviour is created you can use that behaviour in your WCF send port.

CustomBehaviour.JPGAfter adding the necessary behaviour to our Biztalk Send Port, we started interacting with the https service using security protocol TLS1.2.

Advertisements

4 comments

  1. Hi Antariksh,
    Currently , We are using BizTalk server 2010 with Windows server 2008 R2 x64 . We are also informed a few days back regarding the upgrade to TLS 1.2 for one of web services we use . As we are in .NET framework 4.0 , I can not write the custom behavior to for WCF -Custom send port and point out-going calls to TLS1.2 protocol .

    My question is Can I just install .NET framework 4.5 in the server which should bring TLS 1.1 and TLS 1.2 protocols and then use the custom behavior as you mentioned to use TLS1.2 .

    I do not want default the server communication protocol behavior to TLS 1.2 as I do not know how BizTalk will behave to connect the own metadata databases(SQL server 2008 R2 SP1) and other Application databases which are in SQL 2014 and they are not moved to Use TLS 1.2 .

    Please let me know your comments and also let me know if I am missing something .

    Regards,
    Goutaemendu

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s