To support TLS 1.2 for BizTalk 2016, we upgraded to BizTalk 2016 Feature Pack 3. The upgrade was successful and our workflow was working without issues until our networking turned off the support for TLS 1.0 and TLS 1.1. After that we started getting the below error while calling an API from BizTalk: We know that the API supports TLS 1.2.
inner exception stack trace:
The adapter failed to transmit message going to send port "SndPort_PostMsgfile" with URL "https://demo-xxxxxx-api.abc.com/api/Message/MessageFile". It will be retransmitted after the retry interval specified for this Send Port. Details:"System.ServiceModel.Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority 'demo-common-api.medimpactdirect.com'. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelAsyncRequest.CompleteGetResponse(IAsyncResult result)
Server stack trace:
at System.Runtime.AsyncResult.End[TAsyncResult](IAsyncResult result) at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result) at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result) at System.ServiceModel.Channels.ServiceChannel.EndRequest(IAsyncResult result)
Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at System.ServiceModel.Channels.IRequestChannel.EndRequest(IAsyncResult result) at Microsoft.BizTalk.Adapter.Wcf.Runtime.WcfClient`2.RequestCallback(IAsyncResult result)".
We want to make sure that the request which goes out from BizTalk is always on TLS 1.2. Do we need to make updates to the WebHTTP Send Port by building a behavior extension with the following snippet of code (as done in the API's) - ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
Are changes required in the registry? I tried updating the registry based on the suggestions from : https://support.microsoft.com/en-us/help/3155464/ms16-065-description-of-the-tls-ssl-protocol-information-disclosure-vu
Solved this by using the suggestions from the blog.
We had to also add Registry entries for TLS 1.2 protocol HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
In addition if you are using SFTP adapter, BizTalk Server 2016 Feature Pack 3 requires WinScp version 5.13.1. If you have an older version the SFTP adapter will keep shutting down. Please refer to this.