Wednesday, June 20, 2018

Disabling TLS 1.0 for ConfigMgr.

PCI

PCI compliance, oh man. If you’re not familiar with PCI compliance, there is a deadline of June 30th, 2018 to disable SSL/early TLS in PCI compliant environments.

To accomplish this for our ConfigMgr environment, I used software by Nartac Software called IIS Crypto. It is a free tool which allows you to reorder SSL\TLS cipher suites, enable/disable protocols, ciphers, hashes, and key exchanges, as well as save or apply templates for these things.

In a nutshell, here’s the procedure I went through.
  • Using IIS Crypto, save a template of current, pre-change settings.
  • Uncheck SSL 2.0, SSL 3.0, and TLS 1.0
  • Apply changes
  • Update SQL Server Native Client
  • Reboot server
  • Repeat on all ConfigMgr Servers
After a bit of trial and error, the above procedure is what ended up working for me. Getting there took an hour or so to realize that without updating the SQL Server Native Client, server logs were spitting out tons of errors, and the console was never managing a connection.

What’s deceiving about the logs in the log viewer is the error is not highlighted as an error – once you spot it, though, it’s a dead giveaway about the issue. The following is from sitecomp.log;





In plain English, you can see that the SQL Server Native Client isn’t supporting the current encryption methods (because we're relying solely on TLS 1.1 and TLS 1.2 now) – an update of the SQL Server Native Client to support TLS 1.2, and this error goes away and ConfigMgr starts to function normally.

To check what version of the SQL Server Native Client your site server has, open the ODBC Data Source Administrator and move to the Drivers tab; you can see mine were well out of date.

References

The below resources helped me work through this change in my environment, hopefully, they can help you as well.

3 comments: