SharePoint and Chrome Provider Host Application (PHA) Cipher Issue (and Firefox)


A customer recently ran into an issue where their SharePoint 2016 ASP.NET provider hosted applications, running on Windows Server 2016, and IIS 10 started throwing crypto errors. In Chrome, we saw "The webpage at https://app-[GUID].sharepointaddins.com/siteURL might be temporarily down or it may have moved permanently to a new address. ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY". After some research, reading on my part, and help from the always knowledgeable Dean Cron, we have an explanation. Newer versions of Chrome follow http/2 AKA HTTP 2.0 rules, which black lists some older ciphers. The default IIS 10 settings still let you negotiate to use those ciphers.

Other problematic scenarios include opening documents in Exchange via Office Web Applications/Office Online Server. Changes can be made on OWA/OOS servers.

Here are two ways to fix this.

https://bugs.chromium.org/p/chromium/issues/detail?id=529994

Change your browser settings

This probably isn't a great idea, because you lose all the security enhancements with HTTP/2.

  1. Disable HTTP/2 in Chrome and/or Firefox
  2. In Chrome: run the browser with the --disable-http2 switch
  3. In Firefox: type about:config in the browser and confirm the security prompt; then search for the network.http.spdy.enabled.http2 setting and set it to false

Change your IIS (web server) settings

  1. Use regedit to adjust the cipher suite configuration. Below is a sample .reg file that corrected this in a test lab.
    1. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
      "Functions"="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
  2. Use Nartac to adjust cipher suite settings- https://www.nartac.com/Products/IISCrypto/Download
    1. I've never used this product, so proceed at your own risk. I saw it mentioned a few places for configuration, specific to this scope of issue.
Comments (0)

Skip to main content