IIS 7 and Above
Application Request Routing (ARR)
ARR Support for TLS 1.2 on Windows 2012 R2
Last post Sep 11, 2016 02:42 AM by milope
Sep 01, 2016 08:16 PM|dms666|LINK
On a WIndows 2012 R2 server, I cannot get ARR to work unless TLS 1.0 (or SSL) is enabled.
From what I've gathered, on Windows 2008 R2, ARR only supported TLS 1.0 and SSLv3. Is that the same with 2012 R2?
I cannot find anything defintiive on whether or not ARR on Windows 2012 R2 supports TLS 1.2. If there's no default support, can it be added with reg fixes?
Thanks in advance.
Sep 02, 2016 03:20 AM|Jean Sun|LINK
Based on my understanding, "enabled by default" means the key doesn't have to exist for it to be turned on. You only need to add the value if you want to disable it.
If you want to disable it, you can find how to do it in the following link.
And the IIS Crypto is a great tool for easily seeing what protocols and ciphers are enabled on your server.
Sep 03, 2016 06:43 AM|Rovastar|LINK
I don't know of any way. I think it is still the same as Windows 2008.
Well by default at least. Maybe it is possible to have a rewrite rule that forces TLS 1.2 to the backend servers. I might have a look on my test rig at some point.
Sep 03, 2016 05:04 PM|milope|LINK
Sep 03, 2016 10:03 PM|dms666|LINK
ARR is receiving client requests and forwarding to another server. It fails if TLS 1.0 or SSL3 are disabled.
It was my understanding that the SCHANNEL registry settings do not apply to the ARR module, but only IIS itself (i.e., when serving web pages).
The discussions on these two threats lead me to believe that 2008 R2 does not support ARR via TLS 1.2 regardless of the SCHANNEL registry changes. I have yet to find any authoritative source on this, however.
Sep 04, 2016 01:22 AM|milope|LINK
Sep 08, 2016 12:55 PM|dms666|LINK
We heard back from Microsoft support. They confirmed what we had already concluded (here's their response, verbatim):
Application Request Routing (ARR) does not support TLS 1.2 on windows server 2008 R2. Our Product group is working on the same. But it is resolved on windows server 2012 R2.
So if you have 2012 R2 server and ARR is still failing kindly open a new case with our IIS team and they will help you to troubleshoot the issue.
Now our experience with IIS on Windows server 2012 R2 seemed to imply that TLS 1.0 was still required by ARR. However, further testing showed that it was a third-party client application that was connecting to IIS/ARR that required TLS 1.0 and ARR was, in
fact, connecting to a back-end web server via TLS 1.2.
Sep 08, 2016 06:31 PM|Rovastar|LINK
I must say milope reply of
https://support.microsoft.com/en-us/kb/3140245 looked the most promising.
The winhttp area that it looked like ARR was using could be up-gradable to use more secure TLS.
Which makes it even more confusing by Microsoft's response - as page above is for with Windows 2008R2 also.
Thanks for your reply though.
I can see this question popping up more and more as TLS 1.0 get deprecated. Maybe I will have to do a little more digging myself.
Sep 09, 2016 11:21 AM|dms666|LINK
I agree - why wouldn't Microsoft at least mention that KB, as it implies that 2008 R2 can be updated to allow ARR to use TLS 1.2.
I can only guess that maybe ARR ignores or cannot use the TLS changes introduced by that KB.
Sep 11, 2016 02:42 AM|milope|LINK