Sunday 2 October 2016

Azue MFA web SDK, server 2008R2 and TLS 1.0

In my last post I mentioned that IIS remote manager does not work if you turn off TLS 1.0.

Well now I've found another, the azure MFA WebSDK and MAF mobile app server both need TLS 1.0 to make them work.


note how MS say nothing about TLS 1.0 being needed on the install page, however it turns out you have to keep both client and server TLS 1.0 protocols enabled on the servers to make it work.

I'm not sure if this is the problem with MFA affects server 2012 R2 as well, but given that the IIS remote manger bug affects all IIS versions up to 8.5 at a minimum I would not be surprised if it did.

Thursday 29 September 2016

IIS remote managment and TLS restrictions

Recently I came across a strange problem with IIS remote management and TLS/SSL protocol restriction.

I was setting up some IIS servers for use with Microsoft Azure MFA and thus after the basic setup was done I looked to hardening the web interface (well it is for an authentication system) so I turned off all the SSL protocols and also TLS1.0 as they have known vulnerability.

That done I moved on to other tasks and never tried to access the systems via IIS remote manager, until a few days back, when I wanted to check some settings on the MFA webSDK web app I had just added to the systems (note the servers run 2008R2 core thus have no GUI IIS manager on them).

As you can imagine I was some what perplexed that the IIS remote manager would not connect. RDP, powershell, remote mmc connections all worked so why did IIS manager not ?

After quite a lot of searching and getting the correct search terms in line, I found this forum thread.
and it turns out that disabling TLS1.0 breaks IIS remote management, so if you ever get a message like
The underlying connection was closed: An unexpected error occurred
then it may be an idea to check what TLS options are enabled on the server you are trying to connect to.