ADFSProvider appears to require TLS1.0

[FakeLoki]

Hi,

I recently attempted an upgrade of our PrivacyIDEA server to 3.2.2 and found that the ADFSProvider plugin had issues. The OwnCloud and RDP plugins continues to work and authenticate so this issue was isolated to just the ADFSProvider.

After some investigation I found these SSL/TLS errors in the event log:

I upgraded to the latest version of the ADFSProvider and still had the issue so I began to compare settings between the /etc/apache2/sites-enabled/privacyidea.conf file on the old server and the new server and found that TLSv1.0 had been disabled after the upgrade. After enabling TLSv1.0 and adding the ECDH+AES256 SSLCipherSuite and restarting Apache I found that the ADFSProvider was able to connect and work.

Updated privacyidea.conf:

The ADFS server threw no certificate errors when accessing PrivacyIDEA via IE or Chrome and the complete certificate chain was in place.

Could we please have the requirement for TLSv1.0 fixed to allow for better security with newer TLS versions?

Kind Regards,

FakeLoki

[sbidy]

Hey,
thank you for the issue 😄 ...

So in my opinion this problem occurs because of the missing support for TLS 1.2 or TLS 1.1.
This happens if the .Net Framework is <4.6. After .Net 4.6 TLS 1.1/2 is enabled by default.
Can you please check the value following registry keys on the system:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
      "SystemDefaultTlsVersions"
      "SchUseStrongCrypto"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
      "SystemDefaultTlsVersions"
      "SchUseStrongCrypto"

or / and

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
      "SystemDefaultTlsVersions"
      "SchUseStrongCrypto"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
      "SystemDefaultTlsVersions"
      "SchUseStrongCrypto"

This values should be 1

Can you please also provide the following information:

• Installed .Net version
• Windows Server Version (Build)

Thank you !!

[sbidy]

So .... can you please install the new release 1.3.6b?
This should solve the problem with TLSv1.0 disabled.

Link to release

[FakeLoki]

Sorry for the delay.

I've installed 1.3.6b, as well as .Net 4.8 with a restart, tested again and I'm still getting the same error.
I tried going through some of the steps here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs
(Disabled TLS1.0, Enabled TLS1.2) and restarted but that didn't help either (Although I haven't played with the cipher suites or the Enabling Strong Authentication for .NET applications reg keys).

I'm thinking I should be looking at rebuilding the ADFS Server (It's currently 2012 R2 and most of our farm is 2016). I'll need to do it at some point and if that fixes this issue then that's a bonus.

Thanks for your work on this sbidy, I'll let you know how I go with ADFS on Windows Server 2016.

[sbidy]

Please let me know if the "reinstall" fixed the problem.
Regarding the MS documentation is TLS 1.2 in .Net >4.6 set as default (see here).
It is possible to force TLS 1.2 within the provider code but this is not recommended by MS as best practices.

[splumhoff]

The Issue is common for .NET Applications

Adding "SchUseStrongCrypto"=dword:00000001 to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319
and HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v4.0.30319 fixed the problem on my two Windows Server 2016-Servers without any negative effects. Please note that you have to restart the ADFS-Service in order to get it active after the change.

Reference: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enabling-strong-authentication-for-net-applications