We were in a time crunch since the change has already been implemented and had to be rolled back. We were given 2 weeks to determine the root cause, come up with a solution and apply the fix before mgmt will be forced to decide whether to move on with the TLS 1.0 traffic denial to meet the deadline or hold off.
At first logically, we thought maybe the TLS and SSL settings within the systems are to be blamed. But that wasn't the case, the settings for the most part was the default IE 11 settings.
While troubleshooting, we discovered the issue only happened when logged in with a particular service account. When logged in as an admin, the issue on the same machine doesn't appear to be happening. (I think you can already see where this is going).
https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx#BKMK_SchannelTR_TLS11
The link above discusses how to enable/disable TLS/SSL settings on a machine via system registry. NOTE: even if you made changes in a system via the IE Properties, those changes will not show up in the registry.
So, from the article above I thought Ok, we will simply disable TLS 1.0 in the system and that will resolve the issue. To disable TLS 1.0 do the following:
1. Open registry.
2. Local Machine\SYSTEM\CurrentControlSet\Control\SecurityProvider\SCHANNEL\Protocols
3. Create a subkey Client.
4. Create the DWORD entry Enabled and set the value to 0. BTW, to disable it is 0 and to enable set it to 1.
Crossed my finger hoping this will force the system to using anything other than TLS 1.0. Nope!
It didn't work. Issue still persist with the below error screen:
So, the search continues. Thanks Google!
BTW, we were able to determine via a packet capture (thanks Wireshark) that for each web request the system would start with TLS 1.0 request first. It's suppose to be the other way around. The request always start top down, from TLS 1.2 and down.
Then I stumbled across this article below from MS:
https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1.1-and-tls-1.2-as-a-default-secure-protocols-in
Basically this article describes how you can force a system to use either TLS 1.2 or 1.1 via registry. Below are the steps to do just that:
1. Open registry
2. Local Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHTTP
3. Here add the subkey DefaultSecureProtocols and enter the desired value.
If you want the option to use both TLS 1.2 and 1.1, you can just add 0x00000A00.
Within the same article, there's also the option to Download the fix and apply it to the system. However, I didn't like this particular solution.
I didn't like the solution because it is forcing a system to use a specific protocols for each request which means, I will have to have that documented and that piece of info will have to be passed on for anyone other than me in future responsible with this particular platform. Also if any changes were decided upon in future with TLS settings like this time, we will be revisiting the issue again.
So the search continues. And that's when I noticed the Note section right below the Download button within the same article.
Hmmm, interesting.
I immediately had a feeling that the particular User(Service) account that's having the issue has an entry for that subkey. I took the below steps:
1. Open registry.
2. Load the user hive.
3. Browse out to: Software\Microsoft\Windows\CurrentVersion\Internet Settings
4. And lo, behold! There it is. There's an entry for SecureProtocols.
5. I deleted the entry and voila, we are up and running like nothing ever happened.
Bottom line: instead of disabling the TLS 1.0 in the system and create a subkey DefaultSecureProtocols which would force the system to use either TLS 1.2/1.1, I simply deleted the SecureProtocols entry within the user account where the issue was.
