The [unofficial] guide for SharePoint 2013 (and 2010) working with TLS 1.2 only


 

There are several resources out there claiming SharePoint 2013 and 2010 are not compatible with TLS 1.2 but no official stance from Microsoft either way until now. This post is still not the official response, but it is the first step in this direction. Official documentation to follow. The official supportability is explained in the links below and the information in this post is still valid:

Enable TLS and SSL support in SharePoint 2013

And

Enable TLS 1.1 and TLS 1.2 support in SharePoint Server 2010

 

 

Background

TLS stands for Transport Layer Security and it is the replacement for Secure Sockets Layer (SSL). SSLv3 is the latest of the SSL protocols and it is well long deprecated in real life and officially deprecated in 2015. TLS 1.0 and TLS 1.1 are still valid protocols but they are disabled by default by most modern browsers. New security patches for Windows disable old protocols.  Mostly important is the fact that most companies are tightening security and making sure SSLv3, TLS 1.0 and TLS 1.1 are disabled and only the more secure TLS 1.2 is enabled.

Starting with October 2014 security bulletin there were several changes and patches to the way encryption and hash algorithms are treated in Windows. One of the most important is the one that disables SSLv3 in .NET. The patch is only for .NET 4 and beyond. This is what makes possible to SharePoint 2013 to work with TLS 1.2 without code change.

SharePoint 2010 leverages .NET 3.5, so all these patches mentioned before are of no use. This was the reason that prevented SPS 2010 from being compatible with TLS 1.2. This ended with a patch releases in May 2016: KB 3154518. Now SharePoint 2010 can also works with TLS 1.2 only.

SharePoint relies heavily on SQL and SQL server prior to SQL 2016 (i.e. SQL 2008/2008 R2/2012/2014) does not support TLS 1.2 before KB 3135244. If you are up-to-date with your patches you should be good on this point.

SharePoint relies on WebDAV for Explorer view. Windows Explorer prior to Windows Explorer for Windows 10 is not compatible with TLS 1.2 (this is actually a WinHTTP issue). This issue was resolved by KB 3140245

 

Steps to enable SharePoint 2013/2010 to work with TLS 1.2 and disable the other protocols

 

– Make a backup before making any changes

It goes without saying. Also make sure you do the changes in your test and staging farm before going to production.

 

– Update SQL Server (2008/2008 R2/2012 or 2014), Client Components and Windows to support TLS 1.2

It is possible you already have the build that supports TLS 1.2. You can check this and download and apply the necessary hotfixes if necessary here: https://support.microsoft.com/en-us/kb/3135244

Apply the server update to the SQL Server machines only and the client hotfixes to ALL machines in the farm. You may need to apply the Windows patches as well (all in the KB).

 

– Install hotfix for .NET 3.5.1 to enable TLS 1.2 for .NET (SharePoint 2010 ONLY)

Skip this step for SharePoint 2013. Download the x64 bits version of this .NET update to install in ALL servers in the farm: https://support.microsoft.com/en-us/kb/3154518

Open command prompt as administrator. Run these commands:

 
%windir%\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v DefaultSecureProtocols /t REG_DWORD /d 1
%windir%\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v DefaultSecureProtocols /t REG_DWORD /d 1

 

 

– Enable Strong Cryptography for .NET 4+ (SharePoint 2013)

This functionality is already in .NET 4+ since October 2013. Make sure your bits are more recent than that.

This is necessary to enable TLS 1.x for SharePoint.

Open command prompt as administrator and run these commands:

 
%windir%\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 1
%windir%\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 1
 

 

– Disable the protocols you DO NOT want. See this: https://support.microsoft.com/en-us/kb/245030

 

In the example below, you are making TLS 1.2 default and disabling SSL but you are not disabling the other TLS protocols:

1. Open command prompt as administrator

2. Run: notepad %temp%\enableTLSOnly.reg

3. Click yes to the warning below:

image

3. Paste this into notepad

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

4. Save the file  (File | Save or type Ctrl + S)

5. Back on command prompt run: start %temp%\enableTLSOnly.reg

6. Click yes to apply the changes to the warning below:

image

 

7. The registry should look like this

image

 

In the example below you enable only TLS 1.2:

1. Open command prompt as administrator

2. Run: notepad %temp%\enableTLS12Only.reg

3. Click yes to the warning below:

image

3. Paste this into notepad

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
 

 

4. Save the file  (File | Save or type Ctrl + S)

5. Back on command prompt run: start %temp%\enableTLS12Only.reg

6. Click yes to apply the changes to the warning below:

image

 

– On ALL Servers in the farm and in machines consuming document libraries in Explorer view it is necessary to patch Windows

The crawler contains .NET and C++ components. The C++ components use another API, called WinHttp, which is not patched for TLS 1.2 via .NET patches. WebDAV, the protocol for Explorer View, is also accomplished via WinHttp protocol. By default, Windows Explorer will not support TLS 1.2 in Windows 7 and Windows Server 2008 R2. This update is tricky because unlike the others, this UPDATE goes into the CLIENT MACHINES accessing SharePoint document libraries in Explorer view, and also in the servers in the farm. It is however recommended that you also apply the hotfix in the servers. This update is not necessary for Windows 10. Link to the KB with the hotfix: https://support.microsoft.com/en-us/kb/3140245

After applying the update or if you have Windows 10:

Open command prompt as administrator

Run the commands below:

 
%windir%\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /f /v DefaultSecureProtocols /t REG_DWORD /d 0x0000A80
%windir%\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /f /v DefaultSecureProtocols /t REG_DWORD /d 0x0000A80

 

– Wrapping up

I have received feedback from customers that went through these steps and they were able to have SharePoint working with TLS 1.2 enabled. I do not have a end to end case with SharePoint 2010 but it should work too. Please leave feedback so others can know how people are succeeding (or failing).


Comments (23)

  1. Confirm SP 2010 Working with TLS 1.0 Disabled, on SBS 2011.

  2. Madhukiran Gorekar says:

    Hi , Thanks for the information.
    we are trying to enable TLS 1.2 on our sharepoint server.
    Our Sharepoint2010 web/app server OS is windows server 2008 r2 standard. but our SQL database(SQL Server 2008 Enterprise Edition) is in different server and its OS is Windows server 2003 R2.

    As TLS is OS level setting and can not compatible with Windows server 2003, so can we enable TLS 1.2 on our sharepoint server?

    1. Hi Madhukiran,

      I don’t believe you will be able to have TLS 1.2 on your Windows 2003. You will have to move your SQL Server to a newer OS.

  3. Tony Cioffi says:

    Anyone else having an issue when trying to run this fix on a win7/office2010 machine? tls 1.2 enabled on the server. all functions seem ok except we are unable to set automatic replies in outlook. we receive error: “Your automatic reply settings cannot be displayed because the server is currently unavailable. Try again later”.

    1. Tony,
      On machines running office, follow the steps in section “On machines consuming document libraries in Explorer view it is necessary to patch Windows”.

  4. Naveen says:

    SharePoint 2013 TLS 1.2

    User profile sync services are working.
    Failed to connect to the database Sync_DB
    connection open SSEcreate credentials ssl security error- SQL connectivity issue.

    1. Naveen,

      Patch SQL on SQL Server and ALL SharePoint Servers in the farm:

      – Update SQL Server (2008/2008 R2/2012 or 2014), Client Components and Windows to support TLS 1.2

      It is possible you already have the build that supports TLS 1.2. You can check this and download and apply the necessary hotfixes if necessary here: https://support.microsoft.com/en-us/kb/3135244

      Apply the server update to the SQL Server machines only and the client hotfixes to ALL machines in the farm. You may need to apply the Windows patches as well (all in the KB).

      1. Naveen says:

        Thanks Rodney,

        We have installed following but still we are facing User profile sync (FIM Sync service) is not starting.
        CU5 for SQL 2012 on SQL Server.
        SQL native client components on SharePoint Servers .
        ADO.NET – SqlClient (.NET Framework 4.5.2, 4.5.1, 4.5 on share point servers
        Microsoft ODBC Driver for SQL Server is installed on Sharepoint servers.
        Installed KB2898850 Microsoft .NET Framework 4.5.2

        we don’t find any windows patches for share point servers which support TLS 1.2

        1. Naveen says:

          Update-

          issue is resolved after installing Microsoft SQL Server 2008 R2 Native client competent..

  5. Chris Wharton says:

    I have followed the above configuration guidelines, we have a SharePoint 2013 service running on Windows Server 2012 R2.
    SharePoint works but we are unable to get Office Web Apps to work with a TLS 1.2 configuration, symptoms as per https://support.microsoft.com/en-gb/kb/3160699
    This article states OWA requires TLS 1.0
    Can anyone confirm that they have OWA working on TLS 1.2

    1. Chris,

      Did you follow all steps in this article? Did you install this on the machines consuming SPS?

      – On machines consuming document libraries in Explorer view it is necessary to patch Windows
      WebDAV is accomplished via WinHTTP protocol. By default, Windows Explorer will not support TLS 1.2 in Windows 7 and Windows Server 2008 R2. This update is tricky because unlike the others, this UPDATE goes into the CLIENT MACHINES accessing SharePoint document libraries in Explorer view, not the servers. It is however recommended that you also apply the hotfix in the servers. This update is not necessary for Windows 10. Link to the KB with the hotfix: https://support.microsoft.com/en-us/kb/3140245
      After applying the update or if you have Windows 10:
      Open command prompt as administrator
      Run the commands below:

      %windir%\system32\reg.exe add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp” /f /v DefaultSecureProtocols /t REG_DWORD /d 0x0000A80
      %windir%\system32\reg.exe add “HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp” /f /v DefaultSecureProtocols /t REG_DWORD /d 0x0000A80
       

  6. Naveen says:

    Microsoft ole db provider for SQL server is not working with TLS 1.2, if we need test Sql connectivity from share point servers to SQL server.

    Please suggest any components needs to be installed for OLE DB provider in server to connect SQL with TLS 1.2

    1. Hi Naveen,

      Apply this on all machines consuming SQL server (and SQL Servers too):
      https://support.microsoft.com/en-us/kb/3135244

      1. Mohanghimire says:

        Hi,
        So, https://support.microsoft.com/en-us/kb/3135244 is required both for Sql boxes plus all SharePoint boxes (I were originally assuming this is just required for SharePoint boxes only )

        1. The SQL Server and the machines consuming SQL (SQL Clients and SharePoint servers at the same time) must be updated.

          1. Mohanghimire says:

            Hi Rodney,
            Thanks for quick response and great information .Is it true if Sql servers are upgraded with SP3 we don’t require to apply https://support.microsoft.com/en-us/kb/3135244 individually towards Sql Side , However we have to apply all machines/Servers in SharePoint 2013 Farm ?

  7. Bryan says:

    Trying this in SP2013 but having trouble with Workflow Manager unless SSL3/TLS1.0 remains available. Is there a separate set of updates required for workflow to work with only TLS1.2 available?

    1. Follow the instructions for WebDAV and install the .NET 3.5 hotfix.

  8. spadmin says:

    Good info. Any comments on when this page might change to supported? https://technet.microsoft.com/en-us/library/mt757340.aspx

    1. The information was updated to include the full support. See links in the beginning of the post.

  9. Good news. Microsoft officially announced it that SharePoint 2013 does not fully support TLS 1.1 and TLS 1.2. See complete guide on below url.

    https://technet.microsoft.com/en-us/library/mt757340.aspx

    1. As I told in the post, the official support was close. Now it is official. I updated the post with the appropriate links.

      1. Thank you Rodney for updating the article.

        Microsoft updated their documentation saying that SharePoint 2013 now supports below TLS and SSL protocols.

        1. TLS 1.2
        2. TLS 1.1
        3. TLS 1.0
        4. SSL 3.0

        However SSL 3.0 is still not recommended. See more details below.

        https://technet.microsoft.com/en-us/library/mt757340.aspx

        Visit below link for enabling TLS for SharePoint.

        https://technet.microsoft.com/en-us/library/mt773991.aspx

        Regards

Skip to main content