EA ADFS or EA RDP Agent not working with a TLS 1.2 Enabled Okta Org Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a0000005vgusay&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fea-adfs-or-ea-rdp-agent-not-working-with-a-tls-1-2-enabled-okta-org
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
EA ADFS or EA RDP Agent not working with a TLS 1.2 Enabled Okta Org
Published: Apr 6, 2018   -   Updated: Jun 22, 2018

If your Okta Tenant (Org) is already migrated to TLS 1.2 (ahead of the August 2018 deadline), these changes may be required in your environment to facilitate MFA for RDP and/or ADFS. 

---

Enabling TLS 1.2 on .NET and IE

Prerequisite:

TLS 1.2 is supported on .NET 4.6 and above. Here is how to determine whether .NET 4.6 is installed on your system:

  1. Open registry using regedit.exe
  2. Go to - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 (NOTE the last number could be slightly different)
    • If this key is not present .NET 4.6 is not installed on your system
  3. Within the v4.0.30319 key, expand SKUs and look for .NETFramework,Version=v4.6
    • If the key is not present .NET 4.6 is not installed on your system

If .NET 4.6 is not installed, click the following link to install it: https://www.microsoft.com/en-us/download/details.aspx?id=53344

Enabling TLS 1.2 on .NET

Add "SchUseStrongCrypto" registry DWORD under .NET 4.0 registry option (as mentioned here: http://www.processio.com/enable-outbound-tls-1-1-1-2-windows-server/)

Registry change Illustrated.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"AspNetEnforceViewStateMac"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

Note: the ADFS Service must be restarted after performing the above step.

Enabling TLS 1.2 on IE

Note: This section is only needed for RDP and EPCS (*not* ADFS)

  1. Download pstools from Microsoft - https://docs.microsoft.com/en-us/sysinternals/downloads/pstools
  2. Run IE from system context using psexec (one of the ps tools) like this psexec -i -s "c:\program files\Internet Explorer\iexplore.exe"
  3. Go to IE options, security settings and turn on TLS 1.2