Home

Windows Server 2019 disable legacy TLS in IIS via certificate binding is unavailable

%3CLINGO-SUB%20id%3D%22lingo-sub-1066261%22%20slang%3D%22en-US%22%3EWindows%20Server%202019%20disable%20legacy%20TLS%20in%20IIS%20via%20certificate%20binding%20is%20unavailable%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1066261%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20we%20read%20about%20%22TLS%20version%20enforcement%20capabilities%20now%20available%20per%20certificate%20binding%20on%20Windows%20Server%202019%22%2C%20it%20sounded%20perfect.%26nbsp%3B%20However%20we%20cannot%20get%20it%20to%20work%3F%26nbsp%3B%20We%20are%20on%20OS%20Build%2017763.914%20and%20when%20we%20go%20to%20the%20site%20binding%20the%20screenshot%20below%20is%20all%20we%20get.%26nbsp%3B%20According%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsecurity%2Fdisable-legacy-tls%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsecurity%2Fdisable-legacy-tls%3C%2FA%3E%26nbsp%3Bwe%20should%20also%20have%20a%20disable%20Legacy%20TLS%20checkbox.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161790i162D74F3A9EF4ACE%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThe%20version%20of%20windows%20server%2Fiis%20we%20have%20is%20latest%20as%20per%20windows%20update%20and%20is%20after%20the%20version%20mentioned%20in%20the%20article.%26nbsp%3B%20We%20have%20also%20tried%20to%20do%20via%20%22netsh%20http%20add%20sslcert%20...%22%2C%20but%20when%20we%20add%20the%20argument%26nbsp%3B%3CSPAN%3Edisablelegacytls%3Denable%20it%20fails%2C%20even%20though%20it%20is%20listed%20in%20the%20help%20as%20an%20argument.%3CBR%20%2F%3E%3CBR%20%2F%3EDoes%20something%20need%20turning%20on%20or%20setting%3F%26nbsp%3B%20Tried%20a%20couple%20of%20things%2C%20but%20no%20luck.%3CBR%20%2F%3E%3CBR%20%2F%3EAny%20hints%20or%20assistance%20much%20appreciated.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ERegards%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EPaul%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1066261%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EManagement%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1083022%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Server%202019%20disable%20legacy%20TLS%20in%20IIS%20via%20certificate%20binding%20is%20unavailable%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1083022%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20actually%20looks%20like%20Microsoft%20never%20ended%20up%20implementing%20it%2C%20unless%20there's%20is%20some%20undocumented%20setting%20or%20requirement%3F%26nbsp%3B%20Does%20anybody%20know%20anything%20about%20this%3F%26nbsp%3B%20Thanks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPaul%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
pauldavidc
New Contributor

Hi,

 

When we read about "TLS version enforcement capabilities now available per certificate binding on Windows Server 2019", it sounded perfect.  However we cannot get it to work?  We are on OS Build 17763.914 and when we go to the site binding the screenshot below is all we get.  According to https://docs.microsoft.com/en-us/security/disable-legacy-tls we should also have a disable Legacy TLS checkbox. 

 

clipboard_image_0.png

The version of windows server/iis we have is latest as per windows update and is after the version mentioned in the article.  We have also tried to do via "netsh http add sslcert ...", but when we add the argument disablelegacytls=enable it fails, even though it is listed in the help as an argument.

Does something need turning on or setting?  Tried a couple of things, but no luck.

Any hints or assistance much appreciated.

 

Regards

 

Paul

 

 

1 Reply

This actually looks like Microsoft never ended up implementing it, unless there's is some undocumented setting or requirement?  Does anybody know anything about this?  Thanks.

 

Paul