VMware Cloud Community
divadiow2
Contributor
Contributor
‎04-26-2019 03:05 AM

Disabling TLS1 in Server 2008 R2 breaks network connection

I have two fully patched Server 2008 R2 VMs that have been running fine for years. It's (way past) time to disable TLS 1, so I've a GPO set to disable this in SCHANNEL for client and server, and add the reg keys under .net 2 and 4 as well as winhttp. These keys are as below

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]

"SystemDefaultTlsVersions"=dword:00000001

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

"SystemDefaultTlsVersions"=dword:00000001

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000a00

After the second reboot, so these policies are fully effective, the server's single vmxnet3 will sit spinning for a bit in the taskbar then finally go to a red cross "disconnected" symbol, as if the cable was unplugged. Network and Connection Centre won't load. RDP is also not functioning to the hostname but will to the IP.

Host is v6.7, VM hardware V7. Latest VM Tools 10338. Exchange 2010 CAS/Hub roles on servers.

Any ideas?

0 Kudos
4 Replies
pragg12
Hot Shot
Hot Shot
‎04-26-2019 03:52 AM

Hi,

Welcome to VMTN. 🙂

Any particular reason why VM hardware version is 7 for this VM ?

Take a snapshot and upgrade the HW version to > 13 and then check and let us know if still facing issue.

Consider marking this response as "Correct" or "Helpful" if you think my response helped you in any way.
0 Kudos
divadiow2
Contributor
Contributor
‎04-26-2019 05:36 AM

thanks!

I'm new to the setup, but VMs have just been left untouched through various host updates over the last few years to the point where version 7 VMs are on 6.7 Vcenter hosts.

I'll try the HW upgrade and report back.

0 Kudos
divadiow2
Contributor
Contributor
‎04-29-2019 02:09 AM

alas, the hardware version did not make any difference.

adding new network adaptors also made difference, neither did installing the newer VM Tools. TLS 1 disabled seems fine until SQL Server 2008 R2 is updated from SP3 RTM to the very latest KB that support TLS 1.2. After that the instances start but the network sits trying to negotiate a connection then finally fails after 10 mins. While this is happening the System log fills with "A fatal error occurred while creating an SSL client credential. The internal error state is 10013."

0 Kudos
pragg12
Hot Shot
Hot Shot
‎04-30-2019 03:44 AM

Have a look here:

Disabling TLS 1.0 on your Windows 2008 R2 server – just because you still have one – IIS Field Readi...

Can you re-check and confirm if every hotfix and every patch released by Microsoft for Windows Server 2008 R2 has been installed on the affected servers ?

Consider marking this response as "Correct" or "Helpful" if you think my response helped you in any way.
0 Kudos