Windows update KB4343887 breaks PingID Windows Login and AD Connect when TLS 1.0 is disabled

Windows update KB4343887 breaks PingID Windows Login and AD Connect when TLS 1.0 is disabled

Published: 11/04/2018

Problem Description:

After windows update KB4343887 is installed, PingID Windows Login and AD Connect that have TLS 1.0 disabled, experience service disruption.
 

Solution:

This is a windows issue that affects all applications, and is not a code defect in Ping Identity's products.

Microsoft's recommendation is to migrate to .NET 4.7 that will default to the highest TLS version available (including TLS 1.3). However, PingID Windows Login 2.0 and AD Connect target the .NET 4.5 framework only, so upgrading to a higher .NET framework will not resolve the issue.

There are open feature enhancement requests for PingID Windows Login(PID-7216) and AD Connect(SSD-8913) to target version 4.7.2 of the .NET framework .

If you are using PingID Windows Login version 2.0 and below, or AD Connect and encounter this issue, follow the below workaround to resolve the issue.

In addition to using IISCrypto, the DWORD registry key is required to fully enable TLS versions 1.1. and 1.2.

1.    Under HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/.NETFramework/v4.0.30319 add DWORD SchUseStrongCrypto with value 1.

2.    Restart the server for the changes to take effect.

IISCrypto does not create and configure DWORD registry key automatically. As such we have set SchUseStrongCrypto entry manually, for .NET 4.5 to start with the strongest version of TLS supported by the application instead of the weakest.
 
Category:
PingID , PingOne , 
KB or other URL: