Share via

ADFS Using TLS 1.2 with ADFS Proxy

Anonymous
2018-11-19T12:27:12+00:00

We utilize ADFS 2.0 on Windows Server 2008 R2 server with an ADFS Proxy server also Windows Server 2008 R2. We are trying to enable TLS 1.2 for some Microsoft Education apps that use our ADFS to authenticate the Office 365 email. Enabling it on ADFS worked while students are in district, however when going home and trying to do the same thing, we get an ADFS error. We tried enabling TLS 1.2 on the ADFS Proxy, but it still errors out. Looking for suggestions on what might need to be done.

Microsoft 365 and Office | Subscription, account, billing | For home | Windows

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

Anonymous
2018-11-20T03:56:56+00:00

Hi Kelly_182,

Per checking, TLS 1.2 is not enabled on Win server 2008 R2 by default and it requires a specific update to be installed on the server. Please double check whether it's installed on your server: https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi

After it's installed, please make sure both TLS 1.2 client and server entries in Registry are set to enable. Then restart the server and check whether the issue persists.

If the issue still persists, please open Event Viewer > Applications and Services Logs > ADFS 2.0 > Admin > in "View" menu using "Add/Remove Columns…" > add the "Correlation Id" column and look up the reference number in your first screenshot to find the related error. Then please export the specific Event and provide to me in PM (Private Message).

Regards,

Leo

Was this answer helpful?

0 comments

6 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2018-11-22T07:03:41+00:00

    Hi Kelly_182,

    How are things going? Please feel free to share any updates. 

    Regards,

    Leo

    Was this answer helpful?

    0 comments
  2. Anonymous
    2018-11-19T20:33:45+00:00

    I did the steps outlined in the link..

    I enabled TLS1.2 on both the ADFS and ADFS-Proxy

    I added and enabled the (3) RC4 entries on both the ADFS and ADFS-Proxy

    I added one addtional CipherSuite Entry referencing TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 on both the ADFS and ADFS-Proxy

    I then went out of district but am still getting the same error when trying to access OWA (ADFS errror)

    Any additional help would be appreciated as our teachers want to start using the MS Learning apps, and it takes students back to ADFS to login.

    Was this answer helpful?

    0 comments
  3. Anonymous
    2018-11-19T13:56:15+00:00

    We basically enabled TLS 1.2 on both the ADFS and the ADFS proxy similar to the directions you provided. SSL 2, SSL 3, TLS 1.0, and TLS 1.1 were all disabled. We did not do anything with ciphers or hashes as I am not an expert with enabling or disabling stuff in regedit. With the setup mentioned, inside the district, it works, when going to O365 email or using a Microsoft learning app to log into the email from home, below is the screenshot what they see.

    (Private information removed by moderator to protect your privacy)

    Was this answer helpful?

    0 comments
  4. Anonymous
    2018-11-19T13:30:59+00:00

    Hi Kelly_182,

    Please follow the steps in this article to modify the TLS 1.2 registry to enable it on proxy server: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs

    If this is already done, I'd like to gather following information to narrow down the possible cause of the issue.

    1.May I ask what the error message is when trying to log on the apps externally?

    2.What is the error message you got from the proxy server?

    Regards,

    Leo

    Was this answer helpful?

    0 comments