First published on MSDN on Sep 22, 2017
A customer recently ran into an issue where their SharePoint 2016 ASP.NET provider hosted applications, running on Windows Server 2016, and IIS 10 started throwing crypto errors. In Chrome, we saw "The webpage at https://app-[GUID].sharepointaddins.com/siteURL might be temporarily down or it may have moved permanently to a new address. ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY". After some research, reading on my part, and help from the always knowledgeable Dean Cron , we have an explanation. Newer versions of Chrome follow http/2 AKA HTTP 2.0 rules, which black lists some older ciphers. The default IIS 10 settings still let you negotiate to use those ciphers.
Other problematic scenarios include opening documents in Exchange via Office Web Applications/Office Online Server. Changes can be made on OWA/OOS servers.
Here are two ways to fix this.
https://bugs.chromium.org/p/chromium/issues/detail?id=529994
Change your browser settings
This probably isn't a great idea, because you lose all the security enhancements with HTTP/2.
- Disable HTTP/2 in Chrome and/or Firefox
- In Chrome: run the browser with the --disable-http2 switch
- In Firefox: type about:config in the browser and confirm the security prompt; then search for the network.http.spdy.enabled.http2 setting and set it to false
Change your IIS (web server) settings
- Use regedit to adjust the cipher suite configuration. Below is a sample .reg file that corrected this in a test lab.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
- Use Nartac to adjust cipher suite settings- https://www.nartac.com/Products/IISCrypto/Download
- I've never used this product, so proceed at your own risk. I saw it mentioned a few places for configuration, specific to this scope of issue.
Updated Apr 28, 2020
Version 3.0ronalg
Microsoft
Joined December 27, 2018
Core Infrastructure and Security Blog
Follow this blog board to get notified when there's new activity