We have recently noticed an issue appearing at our customers when we are installing new Pass Through Authentication (PTA) agents and Azure App Proxy (AADAP) connectors. We notice the Windows services for the PTA fail to start as a result of the agent or connector not registering with Azure AD.
An event log trace error like the one below is recorded:
System.ServiceModel.CommunicationException: An error occurred while making the HTTP request to https://7b79bbac-42e6-4f1c-867f-bc05c52eb2cd.registration.msappproxy.net/register/RegisterConnector . This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server. —> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. —> System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
NOTE: This doesn’t just impact newly installed agents, in fact it impacts all PTAs or AADAPs installed in your environment.
Microsoft have recently performed a back-end change enforcing the TLS 1.2 security protocol to be used when registering the agents and connectors. For existing agents and connectors, they establish a persistent connection with the Azure AD back-end service and therefore would also enforce TLS 1.2 when refreshing registration details.
As explained in the article Microsoft Article and other articles, while TLS 1.2 is recommended and has worked with older security protocols, it is now being enforced by Microsoft. Windows 2012 R2 and Windows 2016 server platforms need to be modified and configured to enforce the TLS 1.2 security protocol.
The solution to this issue involves applying four simple registry keys, we recommend running this with PowerShell (obviously testing this first).
- Set the following Registry Keys:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] “DisabledByDefault”=dword:00000000 “Enabled”=dword:00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] “DisabledByDefault”=dword:00000000 “Enabled”=dword:00000001
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319] “SystemDefaultTlsVersions”=dword:00000001 “SchUseStrongCrypto”=dword:00000001
- [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v4.0.30319] “SystemDefaultTlsVersions”=dword:00000001 “SchUseStrongCrypto”=dword:0000001
- Reboot the server
A PowerShell script to set the registry configuration is located here.
NOTE: Make sure no Group Policy Object is overriding these registry settings.
- Confirm all existing PTA agents and AADAP connectors are active. Inactive agents will automatically deregister after 10 days.
- Remediate all Azure AD Connect servers and other servers running PTA agents and AADAP connectors by making the registry changes.
- Prior to installing new PTA agents or AADAP connectors, set the registry changes on servers including the required reboot.
Even though the impact of this issue can be quite drastic, the fix is straight forward. We recommend implementing this fix as a soon as possible to avoid any unexpected outages.
If you require any help don’t hesitate to give us a call and one of our engineers and talk it through with you over the phone.