Enabling IIS Manager and Web Deploy after disabling SSL3 and TLS 1.0

Applies to: Windows Server Datacenter CoreWindows Server Standard CoreWindows 10, version 1709 More

Summary


Internet Information Services (IIS) administrators may choose to disable weaker protocols such as SSL3 and TLS 1.0, either for compliance reasons or to reduce exposure to attacks such as POODLE. Typically, protocols can be enabled and disabled through registry keys on the server, as described at https://support.microsoft.com/en-us/kb/245030.

However, disabling SSL3 and TLS 1.0 also breaks the client-side functionality of some IIS management tools, such as IIS Manager (inetmgr.exe) and Web Deploy (msdeploy.exe). Using Visual Studio to publish through Web Deploy is also affected. The specific symptom in that situation is a failure to connect to the server, which triggers the following error:

The underlying connection was closed: An unexpected error occurred on a send.

The information in the "More Information" section describes how to make those tools work when SSL3 and/or TLS 1.0 disabled. The exact steps depend on the operating system and version of the .NET Framework that's installed on the computer.

Note These changes should be implemented only on the client (where inetmgr.exe/msdeploy.exe/Visual Studio are running) and not on the server (where IIS web server is running).

More Information


Windows Server Version 1709 / Windows 2016 / Windows 10 (for IIS Manager and Web Deploy)

Set the SchUseStrongCrypto registry key as follows:
 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001


Windows 2012 R2 / 2012 / Windows 8.1 / Windows 8 (for IIS Manager and Web Deploy)


The installed NetFX version must be 4.5.2 or later, as this is the minimum supported NetFX version for 4.x on this OS platform.

Set the SchUseStrongCrypto registry key as follows:
 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

Or, install one of the following updates:
 
Windows 2008 R2 / Windows 7 (for Web Deploy with NetFX 4.5.2 installed)


Follow the steps that are described for Windows Server 2012 R2/Windows Server 2012. That is, install NetFX 4.5.2, and then enable SchUseStrongCrypto either through the registry or by installing the update in the applicable KB article.

Additionally, you must set the following registry keys, as Windows 2008 R2 and Windows 7 do not enable TLS 1.1 or TLS 1.2 by default:
 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000

Then, restart the computer.

Note These steps are only for Web Deploy while running with NetFX 4.5.2.

For IIS Manager scenarios (regardless of the installed NetFX version) or Web Deploy running with the default NetFX 3.5, see the following specs.

Windows 2008 R2 / Windows 7 (for all IIS Manager scenarios or Web Deploy with default NetFX 3.5)


Install the NetFX update (KB3154518) that enables TLS 1.2 in .NET Framework 3.5.1: https://support.microsoft.com/en-us/kb/3154518

Then, set the following registry keys:
 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001

Additionally, you must set the following registry keys because Windows 2008 R2 and Windows 7 do not enable TLS 1.1/1.2 by default:
 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000

Restart the computer.