Issue:

The ZENworks Configuration Management - Best Practices Guide details steps that can be taken to configure SSL/TLS for the ZENworks Server.


This can be used to disable TLS 1.0 support if required due to security policies.


Both Build Console and the ENGL Deployment process will use TLS 1.0 by default to connect to the ZENworks Configuration Management Server, if TLS 1.0 is disabled on the server then errors will occur.


The ztoolkit.log file will report errors similar to:

[Zsoaplib] [Debug] Web Service connect error: The underlying connection was closed: An unexpected error occurred on a send.


Build Console will display an error dialog when you attempt to browse for a ZCM user or group in both the New Project wizard and the Expert View:

Note: Build console does not report an error to the buildconsole.log file. 




Solution:


It is possible to configure registry keys that tell .Net applications to not connect using TLS 1.0 but use TLS 1.1 and/or TLS 1.2 instead.

Note: This setting will apply for ALL .NET 3.5 SP1 applications so may have unexpected consequences if other applications on the same machine only support TLS 1.0.


Procedure:


On the Build Console machine

  • Save the registry info below to buildconsole.reg
    Windows Registry Editor Version 5.00

;
; ENGL registry file - Modify TLS settings.
; JG 20190620
; 

;
; https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs
;
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] 
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] 
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] 
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] 
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000


;
; https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
;
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SchUseStrongCrypto"=dword:00000001
"SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
"SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SchUseStrongCrypto"=dword:00000001
"SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

  • Copy the buildconsole.reg file to the Build Console machine.
  • Merge the registry file
  • Restart the machine
  • Test to confirm it is possible to browse for an ZCM user or group without displaying an error.



Build process

  1. Save the registry info below as phase0-before.reg
    Windows Registry Editor Version 5.00

;
; ENGL registry file - Modify TLS settings.
; JG 20190620
; 

;
; https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs
;
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] 
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] 
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] 
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] 
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000


;
; https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
;
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SchUseStrongCrypto"=dword:00000001
"SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
"SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SchUseStrongCrypto"=dword:00000001
"SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

  2. Open Build Console and open the project you wish to update
  3. Select Expert View -> Customisation -> Custom files
  4. Right click in the properties view then select Add 
  5. Browse to the phase0-before.reg file that was created earlier then select it.
  6. Save changes to the project and Validate the project
  7. Run Deployment Wizard to recreate the build process (ztoolkit) image
  8. Copy the image file to the appropriate location on the server (backup existing file if required)
  9. Deploy the project to the mahcine.
  10. Confirm that the machine deploys successfully and that the error reported no longer appears.


If you have any problems or questions about the steps in this TID please contact the ENGL support team