Considerations for disabling and replacing TLS 1.0 in ADFS / Force .net to use strong crypto

ADFS is developed by using .NET Framework. For .NET applications to support strong cryptography (that is, TLS 1.1 and above), you must first install the updates that are described in the following security advisory:
Important Customers who are running .NET Framework 3.5 applications on Windows 10 or .NET Framework 4.5/4.5.1/4.5.2 applications on systems that have the .NET Framework 4.6 installed must follow the steps that are provided in this advisory to manually disable RC4 in TLS. For more information, see the "Suggested Actions" section of the advisory.

Notes

  • Systems that are running the .NET Framework 4.6 only are protected by default and do not have to be updated.
  • The additional steps from the security advisory require that you create the SchUseStrongCrypto registry key, as described in the advisory article.

    Examples of subkeys for this new registry key:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]"SchUseStrongCrypto"=dword:00000001
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]"SchUseStrongCrypto"=dword:00000001
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]"SchUseStrongCrypto"=dword:00000001
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]"SchUseStrongCrypto"=dword:00000001

  • To apply the change, you must restart the following services and applications:

    • ADFS Service (adfssrv)
    • Device Registration Service (drs)
    • Any other .NET application that might be running in the server
    • The Internet Information Services (IIS) application pool for ADFS (applies only to ADFS 2.0 and ADFS 2.1)
Sign In or Register to comment.