Skip to content
This repository has been archived by the owner on Jun 23, 2021. It is now read-only.

ADFSProvider appears to require TLS1.0 #32

Open
FakeLoki opened this issue Feb 6, 2020 · 5 comments
Open

ADFSProvider appears to require TLS1.0 #32

FakeLoki opened this issue Feb 6, 2020 · 5 comments
Assignees
@sbidy
Labels
bug fixed but in review

Comments

@FakeLoki
Copy link

FakeLoki commented Feb 6, 2020

Hi,

I recently attempted an upgrade of our PrivacyIDEA server to 3.2.2 and found that the ADFSProvider plugin had issues. The OwnCloud and RDP plugins continues to work and authenticate so this issue was isolated to just the ADFSProvider.

After some investigation I found these SSL/TLS errors in the event log:

image

I upgraded to the latest version of the ADFSProvider and still had the issue so I began to compare settings between the /etc/apache2/sites-enabled/privacyidea.conf file on the old server and the new server and found that TLSv1.0 had been disabled after the upgrade. After enabling TLSv1.0 and adding the ECDH+AES256 SSLCipherSuite and restarting Apache I found that the ADFSProvider was able to connect and work.

Updated privacyidea.conf:

image

The ADFS server threw no certificate errors when accessing PrivacyIDEA via IE or Chrome and the complete certificate chain was in place.

Could we please have the requirement for TLSv1.0 fixed to allow for better security with newer TLS versions?

Kind Regards,

FakeLoki
@sbidy sbidy added the bug label Feb 6, 2020
@sbidy sbidy self-assigned this Feb 6, 2020
@sbidy

This comment has been minimized.

Sign in to view
sbidy added a commit that referenced this issue Feb 7, 2020
@sbidy
Update .net version to 4.7 to support TLS 1.2 #32
ccff50e
@sbidy
Copy link
Owner

sbidy commented Feb 7, 2020
edited
Loading

So .... can you please install the new release 1.3.6b?
This should solve the problem with TLSv1.0 disabled.

Link to release

@FakeLoki
Copy link
Author

Sorry for the delay.

I've installed 1.3.6b, as well as .Net 4.8 with a restart, tested again and I'm still getting the same error.
I tried going through some of the steps here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs
(Disabled TLS1.0, Enabled TLS1.2) and restarted but that didn't help either (Although I haven't played with the cipher suites or the Enabling Strong Authentication for .NET applications reg keys).

I'm thinking I should be looking at rebuilding the ADFS Server (It's currently 2012 R2 and most of our farm is 2016). I'll need to do it at some point and if that fixes this issue then that's a bonus.

Thanks for your work on this sbidy, I'll let you know how I go with ADFS on Windows Server 2016.

@sbidy
Copy link
Owner

sbidy commented Feb 14, 2020
edited
Loading

Please let me know if the "reinstall" fixed the problem.
Regarding the MS documentation is TLS 1.2 in .Net >4.6 set as default (see here).
It is possible to force TLS 1.2 within the provider code but this is not recommended by MS as best practices.

@splumhoff
Copy link

The Issue is common for .NET Applications

Adding "SchUseStrongCrypto"=dword:00000001 to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319
and HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v4.0.30319 fixed the problem on my two Windows Server 2016-Servers without any negative effects. Please note that you have to restart the ADFS-Service in order to get it active after the change.

Reference: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enabling-strong-authentication-for-net-applications

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@sbidy sbidy

Labels
bug fixed but in review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sbidy @FakeLoki @splumhoff