SOLVED
Home

Windows 2012 R2 Cipher does not take effect

%3CLINGO-SUB%20id%3D%22lingo-sub-713358%22%20slang%3D%22en-US%22%3EWindows%202012%20R2%20Cipher%20does%20not%20take%20effect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-713358%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20experiencing%20problem%20with%20powerpoint%20sharing%2C%20other%20function%20is%20ok%2C%20so%20i%20went%20to%20to%20front-end%20server%20and%20try%20to%20access%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fserverwac.domain.com%2Fhosting%2Fdiscovery%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fserverwac.domain.com%2Fhosting%2Fdiscovery%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%20found%20i%20am%20not%20able%20to%20browse%20the%20page%20with%20tls%20error.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Egpreult%20%2Fh%20show%20the%20following%20cipher%20suite%20order%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384%2C%3CBR%20%2F%3ETLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256%2C%3CBR%20%2F%3ETLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384%2C%3CBR%20%2F%3ETLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256%2C%3CBR%20%2F%3ETLS_DHE_RSA_WITH_AES_256_GCM_SHA384%2C%20--------------%3CBR%20%2F%3ETLS_DHE_RSA_WITH_AES_128_GCM_SHA256%2C%20--------------%3CBR%20%2F%3ETLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384%2C%3CBR%20%2F%3ETLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256%2C%3CBR%20%2F%3ETLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA%2C%3CBR%20%2F%3ETLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA%2C%3CBR%20%2F%3ETLS_ECDHE_RSA_WITH_AES_256_CBC_SHA%2C%3CBR%20%2F%3ETLS_ECDHE_RSA_WITH_AES_128_CBC_SHA%2C%3CBR%20%2F%3ETLS_RSA_WITH_AES_256_CBC_SHA%2C%20----------------%3CBR%20%2F%3ETLS_DHE_DSS_WITH_AES_256_CBC_SHA256%2C-----------%3CBR%20%2F%3ETLS_DHE_DSS_WITH_AES_128_CBC_SHA256%2C-----------------%3CBR%20%2F%3ETLS_DHE_DSS_WITH_AES_256_CBC_SHA%2C---------------%3CBR%20%2F%3ETLS_DHE_DSS_WITH_AES_128_CBC_SHA%2C--------------------%3CBR%20%2F%3ETLS_RSA_WITH_NULL_SHA256%2C%3CBR%20%2F%3ETLS_RSA_WITH_NULL_SHA%2C%3CBR%20%2F%3ETLS_PSK_WITH_AES_256_GCM_SHA384%2C%3CBR%20%2F%3ETLS_PSK_WITH_AES_128_GCM_SHA256%2C%3CBR%20%2F%3ETLS_PSK_WITH_AES_256_CBC_SHA384%2C%3CBR%20%2F%3ETLS_PSK_WITH_AES_128_CBC_SHA256%2C%3CBR%20%2F%3ETLS_PSK_WITH_NULL_SHA384%2C%3CBR%20%2F%3ETLS_PSK_WITH_NULL_SHA256%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsing%20wireshark%2C%20the%20hello%20shows%3C%2FP%3E%3CP%3Eversion%3A%20TLS%201.2%20(0X0303)%3C%2FP%3E%3CP%3ECipher%20Suites%20Length%3A%2014%3C%2FP%3E%3CP%3ECipher%20Suites%20(7%20suites)%3C%2FP%3E%3CP%3ETLS_DHE_RSA_WITH_AES_256_GCM_SHA384%3CBR%20%2F%3ETLS_DHE_RSA_WITH_AES_128_GCM_SHA256%3C%2FP%3E%3CP%3ETLS_RSA_WITH_AES_256_CBC_SHA%3CBR%20%2F%3ETLS_DHE_DSS_WITH_AES_256_CBC_SHA256%3CBR%20%2F%3ETLS_DHE_DSS_WITH_AES_128_CBC_SHA256%3CBR%20%2F%3ETLS_DHE_DSS_WITH_AES_256_CBC_SHA%3CBR%20%2F%3ETLS_DHE_DSS_WITH_AES_128_CBC_SHA%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20cipher%20order%20in%20the%20packet%20does%20not%20list%20everything%20in%20the%20group%20policy.%20I%20have%20tried%20to%20unlink%20the%20cipher%20hardening%20in%20group%20policy%20and%20it%20was%20advertising%20more%20cipher%20(windows%20default%20cipher)%20and%20i%20was%20able%20to%20browse%20the%20office%20web%20app%20link.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethe%20sfb%20server%20is%20running%20sfb%202015%20cu7%20and%20windows%202012%20R2.%20the%20following%20update%20was%20applied%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdesktop%2Fsecauthn%2Ftls-cipher-suites-in-windows-8-1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdesktop%2Fsecauthn%2Ftls-cipher-suites-in-windows-8-1%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ealthough%20some%20update%20was%20saying%20not%20applicable%20for%20the%20machine%20when%20i%20tried%20to%20install%20again.%20I%20was%20able%20to%20see%20the%20cipher%20suite%20listed%20in%20the%20microsoft%20link%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdesktop%2Fsecauthn%2Ftls-cipher-suites-in-windows-8-1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdesktop%2Fsecauthn%2Ftls-cipher-suites-in-windows-8-1%3C%2FA%3E)%20using%20wireshark%20after%20removing%20the%20cipher%20hardening%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Edoes%20anyone%20knows%20why%20the%20cipher%20suite%20in%20the%20group%20policy%20does%20not%20take%20effect%3F%20or%20what%20might%20have%20conflicting%20it%3F%20I%20have%20to%20get%20the%20hardened%20cipher%20suite%20to%20work%20with%20the%20load%20balanced%20office%20web%20app%20link.%20Thanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEdit%3A%3C%2FP%3E%3CP%3EI%20have%20further%20tried%20to%20create%20a%20new%20policy%20as%20in%20following%20table%20%22Match%22.%20The%20idea%20is%20to%20get%20hardened%20cipher%20suites%20and%20apply%20it%20only%20to%20Windows%202012%20R2.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20table%20%22Wireshark%22%20refers%20to%20cipher%20suites%20gather%20from%20the%20machine%20without%20any%20group%20policy%2For%20cipher%20order%20with%20Wireshark%20%22Hello%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20table%20%22Manual%20cipher%20order%22%20refers%20to%20the%20cipher%20order%20from%20the%20group%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20table%20%22Match%22%20derives%20from%20%22Wireshark%22%20matches%20%22Manual%20cipher%20order%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3EWireshark%3C%2FTD%3E%3CTD%3EManual%20cipher%20order%3C%2FTD%3E%3CTD%3EMatch%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384%3C%2FTD%3E%3CTD%3ETLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384%3C%2FTD%3E%3CTD%3ETLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256%3C%2FTD%3E%3CTD%3ETLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256%3C%2FTD%3E%3CTD%3ETLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_ECDHE_RSA_WITH_AES_256_CBC_SHA%3C%2FTD%3E%3CTD%3ETLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384%3C%2FTD%3E%3CTD%3E%23N%2FA%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_ECDHE_RSA_WITH_AES_128_CBC_SHA%3C%2FTD%3E%3CTD%3ETLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256%3C%2FTD%3E%3CTD%3E%23N%2FA%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_DHE_RSA_WITH_AES_256_GCM_SHA384%3C%2FTD%3E%3CTD%3ETLS_DHE_RSA_WITH_AES_256_GCM_SHA384%3C%2FTD%3E%3CTD%3ETLS_DHE_RSA_WITH_AES_256_GCM_SHA384%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_DHE_RSA_WITH_AES_128_GCM_SHA256%3C%2FTD%3E%3CTD%3ETLS_DHE_RSA_WITH_AES_128_GCM_SHA256%3C%2FTD%3E%3CTD%3ETLS_DHE_RSA_WITH_AES_128_GCM_SHA256%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_DHE_RSA_WITH_AES_256_CBC_SHA%3C%2FTD%3E%3CTD%3ETLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384%3C%2FTD%3E%3CTD%3ETLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_DHE_RSA_WITH_AES_128_CBC_SHA%3C%2FTD%3E%3CTD%3ETLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256%3C%2FTD%3E%3CTD%3ETLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_RSA_WITH_AES_256_GCM_SHA384%3C%2FTD%3E%3CTD%3ETLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA%3C%2FTD%3E%3CTD%3ETLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_RSA_WITH_AES_128_GCM_SHA256%3C%2FTD%3E%3CTD%3ETLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA%3C%2FTD%3E%3CTD%3ETLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_RSA_WITH_AES_256_CBC_SHA256%3C%2FTD%3E%3CTD%3ETLS_ECDHE_RSA_WITH_AES_256_CBC_SHA%3C%2FTD%3E%3CTD%3ETLS_ECDHE_RSA_WITH_AES_256_CBC_SHA%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_RSA_WITH_AES_128_CBC_SHA256%3C%2FTD%3E%3CTD%3ETLS_ECDHE_RSA_WITH_AES_128_CBC_SHA%3C%2FTD%3E%3CTD%3ETLS_ECDHE_RSA_WITH_AES_128_CBC_SHA%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_RSA_WITH_AES_256_CBC_SHA%3C%2FTD%3E%3CTD%3ETLS_RSA_WITH_AES_256_CBC_SHA%3C%2FTD%3E%3CTD%3ETLS_RSA_WITH_AES_256_CBC_SHA%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_RSA_WITH_AES_128_CBC_SHA%3C%2FTD%3E%3CTD%3ETLS_DHE_DSS_WITH_AES_256_CBC_SHA256%3C%2FTD%3E%3CTD%3ETLS_DHE_DSS_WITH_AES_256_CBC_SHA256%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384%3C%2FTD%3E%3CTD%3ETLS_DHE_DSS_WITH_AES_128_CBC_SHA256%3C%2FTD%3E%3CTD%3ETLS_DHE_DSS_WITH_AES_128_CBC_SHA256%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256%3C%2FTD%3E%3CTD%3ETLS_DHE_DSS_WITH_AES_256_CBC_SHA%3C%2FTD%3E%3CTD%3ETLS_DHE_DSS_WITH_AES_256_CBC_SHA%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384%3C%2FTD%3E%3CTD%3ETLS_DHE_DSS_WITH_AES_128_CBC_SHA%3C%2FTD%3E%3CTD%3ETLS_DHE_DSS_WITH_AES_128_CBC_SHA%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256%3C%2FTD%3E%3CTD%3ETLS_RSA_WITH_NULL_SHA256%3C%2FTD%3E%3CTD%3E%23N%2FA%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA%3C%2FTD%3E%3CTD%3ETLS_RSA_WITH_NULL_SHA%3C%2FTD%3E%3CTD%3E%23N%2FA%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA%3C%2FTD%3E%3CTD%3ETLS_PSK_WITH_AES_256_GCM_SHA384%3C%2FTD%3E%3CTD%3E%23N%2FA%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_DHE_DSS_WITH_AES_256_CBC_SHA256%3C%2FTD%3E%3CTD%3ETLS_PSK_WITH_AES_128_GCM_SHA256%3C%2FTD%3E%3CTD%3E%23N%2FA%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_DHE_DSS_WITH_AES_128_CBC_SHA256%3C%2FTD%3E%3CTD%3ETLS_PSK_WITH_AES_256_CBC_SHA384%3C%2FTD%3E%3CTD%3E%23N%2FA%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_DHE_DSS_WITH_AES_256_CBC_SHA%3C%2FTD%3E%3CTD%3ETLS_PSK_WITH_AES_128_CBC_SHA256%3C%2FTD%3E%3CTD%3E%23N%2FA%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_DHE_DSS_WITH_AES_128_CBC_SHA%3C%2FTD%3E%3CTD%3ETLS_PSK_WITH_NULL_SHA384%3C%2FTD%3E%3CTD%3E%23N%2FA%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_RSA_WITH_3DES_EDE_CBC_SHA%3C%2FTD%3E%3CTD%3ETLS_PSK_WITH_NULL_SHA256%3C%2FTD%3E%3CTD%3E%23N%2FA%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ETLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA%3C%2FTD%3E%3CTD%3E%26nbsp%3B%3C%2FTD%3E%3CTD%3E%23N%2FA%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20with%20the%20newly%20created%20group%20policy%20from%20the%20above%20table%20%22Match%22%2C%20wireshark%20shows%20only%203%20cipher%20suites%20and%20the%20gpresult%20%2Fh%20shows%20the%20%22match%22%20values%20has%20applied.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-713358%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-719327%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%202012%20R2%20Cipher%20does%20not%20take%20effect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-719327%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20an%20exciting%20one%2C%20have%20finally%20figured%20the%20text%20of%20the%20cipher%20suites%20does%20not%20tally%20between%20windows%202016%20and%202012%20R2.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20i%20went%20in%20to%20the%20local%20group%20policy%2C%20navigate%20to%20%22Local%20Computer%20Policy%22%20%26gt%3B%20%22Computer%20Configuration%22%20%26gt%3B%20%22Administrative%20Template%22%20%26gt%3B%20%22Network%22%20%26gt%3B%20%22SSL%20Configuration%22%20take%20the%20value%20in%20the%20help%20and%20apply%20it%20in%20the%20group%20policy%20(group%20policy%20does%20not%20has%20one).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20the%20difference%20looks%20like%20following%3C%2FP%3E%3CP%3E%3CSPAN%3ETLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384%20(wrong%20in%202012R2)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ETLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384%20(provided%20in%20local%20policy%20help)%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Thai_Lam
Occasional Contributor

Hi everyone,

 

I am experiencing problem with powerpoint sharing, other function is ok, so i went to to front-end server and try to access https://serverwac.domain.com/hosting/discovery and found i am not able to browse the page with tls error.

 

gpreult /h show the following cipher suite order

 

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, --------------
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, --------------
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA, ----------------
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,-----------
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,-----------------
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,---------------
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,--------------------
TLS_RSA_WITH_NULL_SHA256,
TLS_RSA_WITH_NULL_SHA,
TLS_PSK_WITH_AES_256_GCM_SHA384,
TLS_PSK_WITH_AES_128_GCM_SHA256,
TLS_PSK_WITH_AES_256_CBC_SHA384,
TLS_PSK_WITH_AES_128_CBC_SHA256,
TLS_PSK_WITH_NULL_SHA384,
TLS_PSK_WITH_NULL_SHA256

 

Using wireshark, the hello shows

version: TLS 1.2 (0X0303)

Cipher Suites Length: 14

Cipher Suites (7 suites)

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA

 

The cipher order in the packet does not list everything in the group policy. I have tried to unlink the cipher hardening in group policy and it was advertising more cipher (windows default cipher) and i was able to browse the office web app link.

 

the sfb server is running sfb 2015 cu7 and windows 2012 R2. the following update was applied

https://docs.microsoft.com/en-us/windows/desktop/secauthn/tls-cipher-suites-in-windows-8-1 although some update was saying not applicable for the machine when i tried to install again. I was able to see the cipher suite listed in the microsoft link (https://docs.microsoft.com/en-us/windows/desktop/secauthn/tls-cipher-suites-in-windows-8-1) using wireshark after removing the cipher hardening policy.

 

does anyone knows why the cipher suite in the group policy does not take effect? or what might have conflicting it? I have to get the hardened cipher suite to work with the load balanced office web app link. Thanks!

 

Edit:

I have further tried to create a new policy as in following table "Match". The idea is to get hardened cipher suites and apply it only to Windows 2012 R2.

 

The table "Wireshark" refers to cipher suites gather from the machine without any group policy/or cipher order with Wireshark "Hello".

 

The table "Manual cipher order" refers to the cipher order from the group policy.

 

The table "Match" derives from "Wireshark" matches "Manual cipher order"

 

WiresharkManual cipher orderMatch
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384#N/A
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256#N/A
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384TLS_DHE_RSA_WITH_AES_256_GCM_SHA384TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256TLS_DHE_RSA_WITH_AES_128_GCM_SHA256TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHATLS_DHE_DSS_WITH_AES_256_CBC_SHA256TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384TLS_DHE_DSS_WITH_AES_128_CBC_SHA256TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_DHE_DSS_WITH_AES_256_CBC_SHATLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384TLS_DHE_DSS_WITH_AES_128_CBC_SHATLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_NULL_SHA256#N/A
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_NULL_SHA#N/A
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHATLS_PSK_WITH_AES_256_GCM_SHA384#N/A
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256TLS_PSK_WITH_AES_128_GCM_SHA256#N/A
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256TLS_PSK_WITH_AES_256_CBC_SHA384#N/A
TLS_DHE_DSS_WITH_AES_256_CBC_SHATLS_PSK_WITH_AES_128_CBC_SHA256#N/A
TLS_DHE_DSS_WITH_AES_128_CBC_SHATLS_PSK_WITH_NULL_SHA384#N/A
TLS_RSA_WITH_3DES_EDE_CBC_SHATLS_PSK_WITH_NULL_SHA256#N/A
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA #N/A

 

However with the newly created group policy from the above table "Match", wireshark shows only 3 cipher suites and the gpresult /h shows the "match" values has applied.

1 Reply
Solution

What an exciting one, have finally figured the text of the cipher suites does not tally between windows 2016 and 2012 R2.

 

So i went in to the local group policy, navigate to "Local Computer Policy" > "Computer Configuration" > "Administrative Template" > "Network" > "SSL Configuration" take the value in the help and apply it in the group policy (group policy does not has one).

 

So the difference looks like following

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (wrong in 2012R2)

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 (provided in local policy help)

Related Conversations
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
2 Replies
*Updated 9/3* Syncing in Microsoft Edge Preview Channels
Elliot Kirk in Articles on
203 Replies
Early preview of Microsoft Edge group policies
Sean Lyndersay in Discussions on
65 Replies