cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community
Find out more
SharePoint and Chrome Provider Host Application (PHA) Cipher Issue (and Firefox)
By
ronalg
Published Feb 08 2019 12:56 PM 579 Views
ronalg
Microsoft
‎Feb 08 2019 12:56 PM

SharePoint and Chrome Provider Host Application (PHA) Cipher Issue (and Firefox)

‎Feb 08 2019 12:56 PM

First published on MSDN on Sep 22, 2017
A customer recently ran into an issue where their SharePoint 2016 ASP.NET provider hosted applications, running on Windows Server 2016, and IIS 10 started throwing crypto errors. In Chrome, we saw "The webpage at https://app-[GUID].sharepointaddins.com/siteURL might be temporarily down or it may have moved permanently to a new address. ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY". After some research, reading on my part, and help from the always knowledgeable Dean Cron , we have an explanation. Newer versions of Chrome follow http/2 AKA HTTP 2.0 rules, which black lists some older ciphers. The default IIS 10 settings still let you negotiate to use those ciphers.

Other problematic scenarios include opening documents in Exchange via Office Web Applications/Office Online Server. Changes can be made on OWA/OOS servers.

Here are two ways to fix this.

https://bugs.chromium.org/p/chromium/issues/detail?id=529994

Change your browser settings


This probably isn't a great idea, because you lose all the security enhancements with HTTP/2.

    1. Disable HTTP/2 in Chrome and/or Firefox

 

    1. In Chrome: run the browser with the --disable-http2 switch

 

    1. In Firefox: type about:config in the browser and confirm the security prompt; then search for the network.http.spdy.enabled.http2 setting and set it to false



Change your IIS (web server) settings



    1. Use regedit to adjust the cipher suite configuration. Below is a sample .reg file that corrected this in a test lab.


        1. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
          "Functions"="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"


 

    1. Use Nartac to adjust cipher suite settings- https://www.nartac.com/Products/IISCrypto/Download

        1. I've never used this product, so proceed at your own risk. I saw it mentioned a few places for configuration, specific to this scope of issue.


 

0 Likes
Like
Version history
Last update:
‎Apr 28 2020 12:36 PM
Updated by:
Labels