Okta ends browser support for TLS 1.1
At Okta, we know that our dependable service is integral to the important work you're doing. Ensuring the security of your environment is a top priority. On February 13, 2018, we informed you of Okta's plan to align to industry standard best practices and make infrastructure changes to our support of Transport Layer Security (TLS). Specifically, effective August 1, 2018, Okta will only support TLS 1.2 connections and will stop support of TLS 1.0 and 1.1 due to security vulnerabilities.
This article describes the changes you may need to make for Microsoft Internet Explorer browsers in your organization. For TLS 1.2-related information on all Okta products and agents, as well as the schedule, see Migrating to TLS 1.2.
How this might affect your org
Update Windows registry if you disabled TLS 1.2 through the registry
You must update your Windows registry only if you disabled TLS 1.2 through the registry. If this applies to workstations in your org, update the registry with the following values to ensure your end users retain access to Okta and Okta-managed apps
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000
If appropriate for your environment, you can use a third-party management tool such as GPO to update IE options on multiple workstations throughout your enterprise.
(From a procedure entitled Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy in this Microsoft article):
Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page > Turn off encryption support
Note: It is important to check consecutive versions. Not selecting consecutive versions (for example, checking TLS 1.0 and 1.2 but not checking 1.1) could result in connection errors.
Enable TLS 1.2 on .NET
TLS 1.2 is supported on .NET 4.6 and above. To determine the version of .NET installed on your system:
The link to .NET 4.6.2 installer is: https://www.microsoft.com/en-us/download/details.aspx?id=53344.
To set TLS 1.2, edit the registry as follows:
Note: If you are using ADFS, you must restart the service after enabling TLS 1.2 on .NET.