The [unofficial] guide for SharePoint 2013 (and 2010) working with TLS 1.2 only

 

There are several resources out there claiming SharePoint 2013 and 2010 are not compatible with TLS 1.2 but no official stance from Microsoft either way until now. This post is still not the official response, but it is the first step in this direction. Official documentation to follow. The official supportability is explained in the links below and the information in this post is still valid:

Enable TLS and SSL support in SharePoint 2013

And

Enable TLS 1.1 and TLS 1.2 support in SharePoint Server 2010

 

*** UPDATED on 01/17/2019: I worked on a case where the previous keys both here and in TechNet were insufficient (for .NET) in some very rare cases. My friend and colleague Tony DeVere showed me a recent document from .NET team discussing these entries. I updated the post to reflect it and will request a change to TechNet. The .NET article is here.

Background

TLS stands for Transport Layer Security and it is the replacement for Secure Sockets Layer (SSL). SSLv3 is the latest of the SSL protocols and it is well long deprecated in real life and officially deprecated in 2015. TLS 1.0 and TLS 1.1 are still valid protocols but they are disabled by default by most modern browsers. New security patches for Windows disable old protocols.  Mostly important is the fact that most companies are tightening security and making sure SSLv3, TLS 1.0 and TLS 1.1 are disabled and only the more secure TLS 1.2 is enabled.

Starting with October 2014 security bulletin there were several changes and patches to the way encryption and hash algorithms are treated in Windows. One of the most important is the one that disables SSLv3 in .NET. The patch is only for .NET 4 and beyond. This is what makes possible to SharePoint 2013 to work with TLS 1.2 without code change.

SharePoint 2010 leverages .NET 3.5, so all these patches mentioned before are of no use. This was the reason that prevented SPS 2010 from being compatible with TLS 1.2. This ended with a patch releases in May 2016: KB 3154518. Now SharePoint 2010 can also works with TLS 1.2 only.

SharePoint relies heavily on SQL and SQL server prior to SQL 2016 (i.e. SQL 2008/2008 R2/2012/2014) does not support TLS 1.2 before KB 3135244. If you are up-to-date with your patches you should be good on this point.

SharePoint relies on WebDAV for Explorer view. Windows Explorer prior to Windows Explorer for Windows 10 is not compatible with TLS 1.2 (this is actually a WinHTTP issue). This issue was resolved by KB 3140245

 

Steps to enable SharePoint 2013/2010 to work with TLS 1.2 and disable the other protocols

 

- Make a backup before making any changes

It goes without saying. Also make sure you do the changes in your test and staging farm before going to production.

 

- Update SQL Server (2008/2008 R2/2012 or 2014), Client Components and Windows to support TLS 1.2

It is possible you already have the build that supports TLS 1.2. You can check this and download and apply the necessary hotfixes if necessary here: https://support.microsoft.com/en-us/kb/3135244

Apply the server update to the SQL Server machines only and the client hotfixes to ALL machines in the farm. You may need to apply the Windows patches as well (all in the KB).

 

- Install hotfix for .NET 3.5.1 to enable TLS 1.2 for .NET (SharePoint 2010 ONLY)

Skip this step for SharePoint 2013. Download the x64 bits version of this .NET update to install in ALL servers in the farm: https://support.microsoft.com/en-us/kb/3154518

Open command prompt as administrator. Run these commands:

[text]
%windir%\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v DefaultSecureProtocols /t REG_DWORD /d 1
%windir%\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 1
%windir%\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 1

%windir%\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v DefaultSecureProtocols /t REG_DWORD /d 1
%windir%\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 1
%windir%\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 1

[/text]

 

- Enable Strong Cryptography for .NET 4+ (SharePoint 2013)

This functionality is already in .NET 4+ since October 2013. Make sure your bits are more recent than that.

This is necessary to enable TLS 1.x for SharePoint.

Open command prompt as administrator and run these commands:

[text]
%windir%\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 1
%windir%\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 1

%windir%\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 1
%windir%\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 1
[/text]

 

 

- Disable the protocols you DO NOT want. See this: https://support.microsoft.com/en-us/kb/245030

 

In the example below, you are making TLS 1.2 default and disabling SSL but you are not disabling the other TLS protocols:

1. Open command prompt as administrator

2. Run: notepad %temp%\enableTLSOnly.reg

3. Click yes to the warning below:

image

3. Paste this into notepad

[text]
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[/text]

4. Save the file  (File | Save or type Ctrl + S)

5. Back on command prompt run: start %temp%\enableTLSOnly.reg

6. Click yes to apply the changes to the warning below:

image

 

7. The registry should look like this

image

 

In the example below you enable only TLS 1.2:

1. Open command prompt as administrator

2. Run: notepad %temp%\enableTLS12Only.reg

3. Click yes to the warning below:

image

3. Paste this into notepad

[text]
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[/text]

4. Save the file  (File | Save or type Ctrl + S)

5. Back on command prompt run: start %temp%\enableTLS12Only.reg

6. Click yes to apply the changes to the warning below:

image

 

- On ALL Servers in the farm and in machines consuming document libraries in Explorer view it is necessary to patch Windows

The crawler contains .NET and C++ components. The C++ components use another API, called WinHttp, which is not patched for TLS 1.2 via .NET patches. WebDAV, the protocol for Explorer View, is also accomplished via WinHttp protocol. By default, Windows Explorer will not support TLS 1.2 in Windows 7 and Windows Server 2008 R2. This update is tricky because unlike the others, this UPDATE goes into the CLIENT MACHINES accessing SharePoint document libraries in Explorer view, and also in the servers in the farm. It is however recommended that you also apply the hotfix in the servers. This update is not necessary for Windows 10. Link to the KB with the hotfix: https://support.microsoft.com/en-us/kb/3140245

After applying the update or if you have Windows 10:

Open command prompt as administrator

Run the commands below:

 
 %windir%\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /f /v DefaultSecureProtocols /t REG_DWORD /d 0x0000A80
 %windir%\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /f /v DefaultSecureProtocols /t REG_DWORD /d 0x0000A80

 

- Wrapping up

I have received feedback from customers that went through these steps and they were able to have SharePoint working with TLS 1.2 enabled. I do not have a end to end case with SharePoint 2010 but it should work too. Please leave feedback so others can know how people are succeeding (or failing).