You are here:   Research
  |  Login

Welcome to my blog, quickest way to find articles is usually to search for them.

Minimize
Search in All Title Contents
 
     

ConfigMgr Current Branch Setup fails due to TLS 1.2 configuration

Jan 04 2018

I recently (well yesterday) stumbled across a ConfigMgr Current Branch setup of a new site server failing due to TLS configuration. Turned out that the ConfigMgr 1702 setup (latest baseline as of today) couldn’t install when TLS 1.0 and SSL 3.0 had been removed due to server hardening. The server was Windows Server 2016, and the database SQL was SQL Server 2016 Standard with SP1.

The Issue

When not having TLS 1.0 and SSL 3.0 enabled, the ConfigMgr 1702 setup failed with the following error:

*** [08001][18][Microsoft][ODBC SQL Server Driver][Shared Memory]SSL Security error3000 (0x0BB8)
*** [01000][1][Microsoft][ODBC SQL Server Driver][Shared Memory]ConnectionOpen (SECCreateCredentials()).
*** Failed to connect to the SQL Server, connection type: CM01.CORP.VIAMONSTRA.COM MASTER.
*** [08001][18][Microsoft][ODBC SQL Server Driver][Shared Memory]SSL Security error
*** [01000][1][Microsoft][ODBC SQL Server Driver][Shared Memory]ConnectionOpen (SECCreateCredentials()).
*** Failed to connect to the SQL Server, connection type: CM01.CORP.VIAMONSTRA.COM MASTER.

The Fix

First, make sure you are on .NET Framework 4.6.2, and then use IISCrypto.exe from Nartac Software to temporarily enable TLS 1.0 and SSL 3.0

Then run the ConfigMgr 1702 setup, upgrade to ConfigMgr 1706 or ConfigMgr 1710, and then disable TLS 1.0 and SSL 3.0 again.

There is more information on how to enable TLS 1.2 for ConfigMgr on this link: https://support.microsoft.com/en-us/help/4040243/how-to-enable-tls-1-2-for-configuration-manager

 

Note: Running ConfigMgr in TLS 1.1 or TLS 1.2 only environments is begging for trouble. Guidance and real world testing of this scenario is quite limited. Don’t say I didn't warn you :)

 

IISCrypto
Temporarily enable TLS 1.0 and SSL 3.0 to allow the ConfigMgr 1702 setup to run.

 

IISCrypto2
Hardening put back again, after upgrading to ConfigMgr 1706 or ConfigMgr 1710.

 

Written by Johan Arwidmark.









Deployment News


Happy deployment, and thanks for reading!


What our lawyers makes us say:

This information is provided "AS IS" with no warranties, confers no rights and is not supported by the authors or Deployment Artist.

Copyright © 2017 by Deployment Artist (the company behind deployment research). All rights reserved. No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

Shorthand: Don't pass off our work as yours, it's not nice.

Blog Archive

Minimize




Where you can meet us!

Live Stream Recordings
ConfigMgr 1806 and W10 OSD

Windows 10 OSD Classes (US)
Dec 10, 2018, Chicago, US

Windows 10 OSD Classes (Europe)

Feb 4, 2019, Culemborg, The Netherlands

ConfigMgr CB Classes (US)
Jan 21, 2019, New York, US

Video-based trainings
https://online.truesec.com
https://deploymentartist.com/Training/Videos

MDT, Windows 10 and ConfigMgr Books
http://deploymentartist.com/Books

Contact Info
http://deploymentresearch.com/theteam