You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Configuring Servers to Support TLS 1.x with EmpowerID

In order to use Transport Layer Security (TLS) with EmpowerID, you must apply Microsoft patches to the SQL server and client machines, and add registry settings to the EmpowerID server and client machines.


Prerequisites

The .NET Framework version 4.5 or higher must be installed on the EmpowerID server.

To configure the EmpowerID server machine

  1. From the Start menu, open the Registry Editor (regedit).
  2. Expand the Computer node and navigate to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319
  3. Right-click the v4.0.30317 key and select New, then DWORD (32-bit) Value.



  4. Set the Name to SchUseStrongCrypto and the Value data to 1.



  5. Navigate to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
  6. Again, right-click the v4.0.30317 key and select New, then DWORD (32-bit) Value, and add the same subkey: 
    • Value name: SchUseStrongCrypto
    • Value data: 1

To configure the SQL Server machine

  1. See the following information from Microsoft:
    https://support.microsoft.com/en-us/help/3135244/tls-1.2-support-for-microsoft-sql-server
  2. From that page, download and install the appropriate patch for your SQL Server version.

To update protocols on the EmpowerID server machine

This step disables insecure protocols on the EmpowerID server.

If you perform this step before installing the SQL patch, the EmpowerID server machine will no longer be able to communicate with the SQL Server.

  1. Download and run the GUI version of IIS Crypto 2.0:
    https://www.nartac.com/Products/IISCrypto/Download
  2. On the Schannel tab that appears by default, under Protocols, clear all checkboxes except for TLS 1.1 and TLS 1.2 so that it looks like this:



  3. Click Apply and restart the EmpowerID server.

To configure the client machine

  1. On the client machine, download and install the appropriate patch for the Windows 7 or 2012 R2 machine:
    https://support.microsoft.com/en-us/help/3080079/update-to-add-rds-support-for-tls-1.1-and-tls-1.2-in-windows-7-or-windows-server-2008-r2

    You only need to install this patch on Windows 7 or Windows 2012 R2 client machines from which the user wants to connect remotely using Privileged Session Manager (PSM) to a machine with TLS 1.x. 

  2. From the Start menu, open the Registry Editor (regedit).
  3. Expand the Computer node and navigate to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client

    If the TLS 1.1 or Server or Client subkeys do not exist under the Protocols key, add them by right-clicking the parent key and selecting New, then Key, and entering the key name.

  4. Right-click Client, select New, then DWORD (32-bit) Value, and set the Value name to DisabledByDefault. (Leave the Value data to the default value of 0.)



  5. Repeat for each of the following keys:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server




In this article