Configure TLS 1.2 on BizTalk Server

This is official announcement about TLS 1.2 support in BizTalk Server 2016. I am highlighting the comments from Microsoft official page as a reference
TLS 1.2 supportTLS 1.2 is fully supported in BizTalk Server, including all the adapters and all the accelerators. You can disable SSL, TLS 1.0, and TLS 1.1 on the BizTalk Server.Key information:
  • Any external systems communicating with BizTalk also need to support TLS 1.2
  • Any custom code, such as functoids, may need to be updated to support TLS 1.2
Description of the TLS/SSL protocol describes how to setup a TLS 1.2 environment.
Though for lower version like 2013 or 2010 this is not straight forward to use TLS 1.2. You have to do some tricky exercise to enable TLS 1.2. Please follow below steps to enable TLS 1.2.

Generally you have seen below types of error when trying to connect any external service which are already utilizing the security protocol TLS 1.2,

  • SSL Security error.
  • [DBNETLIB][ConnectionOpen (SECCreateCredentials()).]SSL Security error. 
  • Could not create SSL/TLS secure channel.
  • The remote server returned an error: (403) Forbidden. 
No need to worry about :) We have solution now to enable TLS 1.2 on your BizTalk server. 

Let's start for BizTalk 2010 first:
BizTalk server 2010 supports .NET Framework v4.0 and this version of Framework support only SSL v3.0 and TLS v1.0. However Framework v4.5, does support the use of TLS 1.1 and TLS 1.2. So now Framework 4.5 require to install on BizTalk machine to establish a connection between both systems, let's do it

The installer of this version of the framework can, of course, be downloaded from the Microsoft-site:

That was 1st step, still TLS 1.2 is not yet configured. You have to enable it now with update the registry setting. Let's see step by step how we can do this,

Note: Before making any change in Registry, I would strongly recommended to take a backup of registry.

Create the below keys and matching DWORDs at highlighted place,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

Now, set the .NET Framework 4.0 to use the latest version of the SecurityProtocol, by creating the DWORDs mentioned below, for both 32- and 64-bit hosts.



Reboot the BizTalk server in order for the changes to come into effect.

All set to go now, test your connection for that you can use Wireshark to check the version of protocol.

Now configure for BizTalk 2013/R2:
BizTalk server 2013/R2 supports .NET Framework v4.5.x and this version of Framework support TLS v1.2 also. So here you need to configure registry only. Please follow above steps and you should ready to go. Test again with the same application.