New-AzureADSSOAuthenticationContext using TLS1.0

JFNK 71 Reputation points

I have monthly, manual process to roll my AzureADSSOAcc Kerberos decryption key. This month it is failing when I authenticate to the 365 tenant using the New-AzureADSSOAuthenticationContext cmdlet. The login and MFA work, but then an error is thrown up. The error is "AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated...."

I am running this on a Windows Srv 2016 server

The error message points me to, and following the recommendations on there I have ensured that the latest AAD Connect (2.1.16) is installed, so the AzureADSSO.psd1 module is up to date.

I have added a TLS1.2 key (with Client and Server subkeys) under HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols, even though the article suggested this isn't really necessary on Srv 2016, but no joy.

I then explicitly disabled TLS1.0 and TLS1.1 client in the registry but then the New-AzureADSSOAuthenticationContext cmdlet fails to run at all (it reports HttpRequestException).

After a bit more testing I have found New-AzureADSSOAuthenticationContext always throws up the HttpRequestException error unless TLS1.0 is enabled. How can I get it to use TLS1.2?


Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,483 questions
No comments
{count} votes

Accepted answer
  1. Morten Skrubbeltrang 156 Reputation points

    Hi, please try to make sure TLS 1.2 is enabled for the .Net Framework by checking/setting the following registry keys:

    Windows Registry Editor Version 5.00



    I've seen this solved by these exact keys on a Windows Server 2016.


1 additional answer

Sort by: Most helpful
  1. JFNK 71 Reputation points

    Thanks Morten

    In fact I only needed to add the keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319, and that resolved the issue.

    Embarrassingly, I had added SchUseStrongCrypto there previously, but see I had made a typo. Grrr.

    Thanks again