| title | Common issues when enabling TLS 1.2 |
|---|---|
| description | Describes common issues when enabling Transport Layer Security (TLS) 1.2 |
| ms.date | 05/04/2021 |
| ms.subservice | core-infra |
| ms.topic | troubleshooting |
| ms.collection | tier3 |
This article provides advice for common issues that occur when you enable TLS 1.2 support in Configuration Manager.
The following client platforms are supported by Configuration Manager but aren't supported in a TLS 1.2 environment:
- Apple OS X
- Windows devices managed with on-premises MDM
If reports don't show in the Configuration Manager console, make sure to update the computer on which you're running the console. Update the .NET Framework, and enable strong cryptography.
If you enable the FIPS security policy setting for either the client or a server, Secure Channel (Schannel) negotiation can cause them to use TLS 1.0. This behavior happens even if you disable the protocol in the registry.
To investigate, enable Secure Channel event logging, and then review Schannel events in the system log. For more information, see Restrict the use of certain cryptographic algorithms and protocols in Schannel.dll.
If SQL Server communication fails and returns an SslSecurityError error, verify the following settings:
- Update .NET Framework, and enable strong cryptography on each machine
- Update SQL Server on the host server
- Update SQL Server client components on all systems that communicate with SQL. For example, the site servers, SMS provider, and site role servers.
If the Configuration Manager client doesn't communicate with site roles, verify that you updated Windows to support TLS 1.2 for client-server communication by using WinHTTP. Common site roles include distribution points, management points, and state migration points.
If the reporting services point doesn't configure reports, check the SRSRP.log for the following error entry:
The underlying connection was closed:
An expected error occurred on a receive.
To resolve this issue, follow these steps:
-
Update .NET Framework, and enable strong cryptography on all relevant computers.
-
After you install any updates, restart the SMS_Executive service.
If the service connection point doesn't upload data to SCCMConnectedService, update the .NET Framework, and enable strong cryptography on each computer. After you make the changes, remember to restart the computers.
If the Intune onboarding dialog box appears when the console tries to connect to the Microsoft Intune admin center, update the .NET Framework, and enable strong cryptography on each computer. After you make the changes, remember to restart the computers.
When you try to create applications in Microsoft Entra ID, if the Azure Services onboarding dialog box immediately fails after you select Sign in, update the .NET Framework, and enable strong cryptography. After you make the changes, remember to restart the computers.
The Azure virtual machines used by the cloud management gateway support TLS 1.2. Supported client versions automatically use TLS 1.2.
The SMSAdminui.log may contain an error similar to the following example:
Microsoft.ConfigurationManager.CloudBase.AAD.AADAuthenticationException
Service returned error. Check InnerException for more details
at Microsoft.ConfigurationManager.CloudBase.AAD.AADAuthenticationContext.GetAADAuthResultObject
...
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException
Service returned error. Check InnerException for more details
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask
...
System.Net.WebException
The underlying connection was closed: An unexpected error occurred on a receive.
at System.Net.HttpWebRequest.GetResponse
In the System EventLog, SChannel EventID 36874 may be logged with the following description: An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed.