TLS Error 70 issues
I have a web application (IIS 8) on one server (Windows Server 2012) connecting to SQL Server Reporting Services 2012 on another server (Windows Server 2008) that until recently was working fine. About a week ago, it stopped working, and since then, I have not been able to get the system working again. The premise is that my code calls to SSRS to retrieve a report, then serves it to the user (so that the user never has view or access to the report directly for security reasons).
The error message in my logs states "The request was aborted: Could not create SSL/TLS secure channel."
The web server is reporting "A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows SChannel error state is 105." which says that it's trying to negotiate an unsupported protocol.
Fixes tried (and failed):
- Updated code to force TLS 1.2
- Fully patched both servers, and software that doesn't automatically get patched
- Checked firewall on both servers (it is disabled)
- Examined and updated the allowed protocols, etc. with IIS Crypto to disable insecure options on both servers. And out of desperation (because it came up in search results and Windows Update notes):
- Added the LdapEnforceChannelBinding registry entry per MS at https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry.
- Followed the directions at https://community.spiceworks.com/topic/1794963-schannel-event-id-36888-microsoft-no-help-at-all re security check exemptions
- Removed the last set of patches from Windows Update
So far nothing has worked, and the only other ideas that I have (but am not sure I want to try except at last resort) are
Remove the most recent set of Windows patches- Disable or delete encryption ciphers (MS recommended this a few years ago per http://searchsecurity.techtarget.com/news/2240234856/Microsofts-Schannel-security-patch-affecting-TLS-connections
- Disable Data Execution Prevention (it has been working for years this way)
Before I take any of these steps, does anyone have any ideas on anything else I can try to get these two servers talking again?
Tom, I'm sure you're past this. Did you ensure the "Use TLS 1.0" and "Use TLS 1.1" settings are disabled in Internet Options for both Machines (Control Panel --> Internet Options --> Advanced Tab --> Security)?
Caveat to this is that communication to any websites or services that still use TLS 1.0 /1.1 will not be possible.
If you got past this, please share your workflow.