Forum Discussion
ConfigMgr & TLS 1.2
Hi
Not sure if this falls into office hours or not but I'll ask anyway 🙂
Two questions about TLS 1.2 and ConfigMgr:
1. With .NET 4.6.2 or above installed, will TLS 1.2 be used or do we need to specifically set the SystemDefaultTlsVersions and SchUseStrongCrypto registry settings to enforce TLS 1.2?
I'm seeing some TLS issues and have some servers with them and some without.
2. I'm seeing "Authentication failed - closing the connection...a call to SSPI failed...the client and server cannot communicate, because the they do not possess a common algorithm" in the BGBServer.log. Is this clients to the MP or MP to other site system communications?
Thanks
Mark
3 Replies
- Jason_Sandys
Microsoft
Hi Mark,
For #1, please see https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2 for full details on enabling TLS 1.2 in ConfigMgr (assuming you are running a supported version). Per the doc, both values you call out must be enabled via the registry, yes. Make sure you fully read through the documentation though as there are other steps.
For #2, please open a support case as there is no way to troubleshoot an issue like that in a Q&A. It's possible you haven't completed all of the necessary configurations in the TLS documentation linked above, but only you can confirm that.- I read the docs but was still a little unclear so thanks for the clarity and noted about a support case for question 2
- If this is about the fast channel we noticed that if a client tries to establish the fast channel over TCP (10123) it uses a weak cipher which is blocked by GPO (by our Server Admins) on the MP's. When the fast channel is setup over HTTPs it uses stronger ciphers and works ok!
