This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 10%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
We are troubleshooting the following architecture scenario:
• Client: XBAP application(.xbap) running in IE11/PresentationHost.exe on Windows Server 2022
• WCF Service Binding: wsHttpBinding with SecurityMode="Message Security"
(certificate used for encryption)
• XBAP uses ClientFormsAuthenticationMembershipProvider for login/authentication
• TLS Configuration:
○ DotNET TLS Settings-
a. App.config - <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSchUseStrongCrypto=false;Switch.System.Net.UseSystemDefaultTlsVersions=true"/>,
b. Progrmatically enable the TLS 1.2 in XBAP System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
○ TLS 1.2 enabled and enforced (TLS 1.0 and TLS 1.1 explicitly disabled via SCHANNEL registry)
○ Cipher Suites modern and in compliance with Windows guidelines "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002"
• Certificates used: 2048-bit RSA with SHA-256
• XBAP Client and web Server can access cert private key
Observed issue:
• When operating in TLS 1.2-only mode, the WCF Message Security negotiation fails with the following error:
System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation failed.
---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm.
• If TLS 1.0 is enabled, the same XBAP application works successfully.
Question for Microsoft Support:
1. Why is this scenario not working with TLS 1.2 only mode?
2. Are there any guidance and documents to handle this for production deployments?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
PresentationHost.exe does not support TSL 1.2 by default. your code will need to enable:
https://stackoverflow.com/questions/52859033/force-presentationhost-to-use-tls-1-2
note: PresentationHost is no longer supported.
https://learn.microsoft.com/en-us/dotnet/desktop/wpf/app-development/xbap-faq
Hi Bruce,
Thank you for your reply.
I have already enabled TLS 1.2 programmatically and mentioned above.
Now I have tried to include programmatically as below
○ DotNET TLS Settings- a. App.config - <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSchUseStrongCrypto=false;Switch.System.Net.UseSystemDefaultTlsVersions=true"/>,
b. Progrmatically enable the TLS 1.2 in XBAP
System.Net.ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
Even with the above implementation, I have got the same error.
System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm.
XBAP is working when the TLS 1.0 explicitly enabled via SCHANNEL registry.
Our requirement is to disable TLS 1.0 and 1.1. Only enable TLS 1.2 due to security need. With this,
Please guide, how to achieve?
Oherwise share the official document/link saying that XBAP with TLS1.2 is not supported.
Waiting for your reply.
As XBAP is no longer supported, none of its features are supported. That is if O/S or runtime patches break it, it will not be fixed.