New-AzureADSSOAuthenticationContext using TLS1.0

JFNK 71 Reputation points
2022-08-22T13:48:31.55+00:00

I have monthly, manual process to roll my AzureADSSOAcc Kerberos decryption key. This month it is failing when I authenticate to the 365 tenant using the New-AzureADSSOAuthenticationContext cmdlet. The login and MFA work, but then an error is thrown up. The error is "AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated...."

I am running this on a Windows Srv 2016 server

The error message points me to https://go.microsoft.com/fwlink/?linkid=2161187, and following the recommendations on there I have ensured that the latest AAD Connect (2.1.16) is installed, so the AzureADSSO.psd1 module is up to date.

I have added a TLS1.2 key (with Client and Server subkeys) under HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols, even though the article suggested this isn't really necessary on Srv 2016, but no joy.

I then explicitly disabled TLS1.0 and TLS1.1 client in the registry but then the New-AzureADSSOAuthenticationContext cmdlet fails to run at all (it reports HttpRequestException).

After a bit more testing I have found New-AzureADSSOAuthenticationContext always throws up the HttpRequestException error unless TLS1.0 is enabled. How can I get it to use TLS1.2?

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,346 questions
0 comments No comments
{count} votes

Accepted answer
  1. Morten Skrubbeltrang 156 Reputation points
    2022-08-23T10:52:16.043+00:00

    Hi, please try to make sure TLS 1.2 is enabled for the .Net Framework by checking/setting the following registry keys:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v2.0.50727]
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319]
    "SchUseStrongCrypto"=dword:00000001
    "SystemDefaultTlsVersions"=dword:00000001

    I've seen this solved by these exact keys on a Windows Server 2016.

    (ref. https://www.easy365manager.com/knowledgebase/aadsts1002016-you-are-using-tls-version-1-0-1-1-and-or-3des-cipher/)

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. JFNK 71 Reputation points
    2022-08-24T07:32:16.323+00:00

    Thanks Morten

    In fact I only needed to add the keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319, and that resolved the issue.

    Embarrassingly, I had added SchUseStrongCrypto there previously, but see I had made a typo. Grrr.

    Thanks again

    0 comments No comments