“How to Enable TLS 1.1 and 1.2 in IIS 7.5: Registry Settings and Schannel Configuration”


2 views

html

When attempting to enable TLS 1.1 and 1.2 on Windows Server 2008 R2 (IIS 7.5), many administrators find their registry modifications don't actually change the negotiated protocol. The server continues to only accept TLS 1.0 despite proper registry configuration.

First, ensure these registry keys exist with correct values:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

The critical Microsoft documentation note explains why registry changes alone may fail:

"WARNING: The DisabledByDefault value in the registry keys under the Protocols key does not take precedence over the grbitEnabledProtocols value that is defined in the SCHANNEL_CRED structure."

This means applications using Schannel API can override system-wide settings. IIS itself uses Schannel, so we need to address this programmatic override.

Nartac's IIS Crypto tool provides GUI access to these deeper settings:

1. Download and run IIS Crypto (admin privileges required)
2. Check both "TLS 1.1" and "TLS 1.2" under Protocol versions
3. Click "Apply" then reboot the server

This tool modifies both registry settings and Schannel configuration.

Use OpenSSL to test from client side:

openssl s_client -connect yourserver:443 -tls1_2

Or PowerShell to check active protocols:

[System.Net.ServicePointManager]::SecurityProtocol = 
    [System.Net.SecurityProtocolType]::Tls11 -bor 
    [System.Net.SecurityProtocolType]::Tls12

After configuration changes, recycle all application pools:

Import-Module WebAdministration
Get-ChildItem IIS:\AppPools | ForEach-Object { Restart-WebAppPool $_.Name }

Some applications (especially .NET 4.5 and earlier) may need explicit protocol configuration in web.config:

<system.web>
  <httpRuntime targetFramework="4.5" />
</system.web>

When dealing with legacy IIS 7.5 servers (Windows Server 2008 R2), administrators often discover that while the platform technically supports TLS 1.1 and 1.2 through Schannel, these protocols remain disabled by default. The bigger challenge emerges when standard registry modifications fail to enforce these protocols.

First, verify these registry keys exist under HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

Microsoft's documentation warns about SCHANNEL_CRED potentially overriding registry settings. This structure is used internally by applications when establishing secure connections. To work around this:

# PowerShell command to check active TLS protocols:
Get-TlsCipherSuite | Format-Table Name, Protocols

# For .NET applications, you MUST also configure:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

For ASP.NET applications, add this to your Global.asax:

protected void Application_Start(object sender, EventArgs e)
{
    // Force TLS 1.2 for all requests
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
    
    // For backward compatibility (not recommended)
    // ServicePointManager.SecurityProtocol = 
    //     SecurityProtocolType.Tls | 
    //     SecurityProtocolType.Tls11 | 
    //     SecurityProtocolType.Tls12;
}

Use these tools to confirm your configuration:

  1. OpenSSL command: openssl s_client -connect yourserver:443 -tls1_2
  2. IIS Crypto tool (GUI alternative)
  3. Browser developer tools (check Security tab)

After making changes:

# Restart both IIS and the server
iisreset /restart
shutdown /r /t 0

# Verify with PowerShell:
[System.Net.ServicePointManager]::SecurityProtocol