TLS 1.2 Migration Clarity for End Users Accessing Okta Skip to main content
https://support.okta.com/help/answers?id=9060z00000078jfqay&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Wayne KalseyWayne Kalsey 

TLS 1.2 Migration Clarity for End Users Accessing Okta

Hello,

Documentation states that end users need to be using newer browsers in order to access Okta once TLS 1.2 migration takes place on August 1st.  For IE 10, TLS 1.2 is Disabled by default.  For IE 11, TLS 1.2 is Enabled by default.  In cases where users are running IE 10, it makes sense to open Internet Options to enabled TLS 1.2.

If a user in on Windows 7, but has a newer browser that supports TLS 1.2, then why is that listed as a concern on the documentation?  If the browser is a newer IE 11, Chrome, Firefox, or Edge, is there any additonal work that needs to be performed on end user machines?  Does the .NET Framework or addtional TLS 1.2 configuration in the registry need to be looked at?

We have end users who access Okta on personal devices.  It will be easy enough to ask them upgrade their browser, but to upgrade .NET Framework and Open the registry... that is not going to go over well.
Razvan SerbanRazvan Serban (Vendor Management)
Hi Wayne,

Please find bellow answers to your questions:

If a user in on Windows 7, but has a newer browser that supports TLS 1.2, then why is that listed as a concern on the documentation?  

I was not able to find references on that, please provide link.

If the browser is a newer IE 11, Chrome, Firefox, or Edge, is there any additonal work that needs to be performed on end user machines?

Internet Explorer 11 is set by default to use TLS 1.2. If you change your IE 11 browsers to use TLS 1.1 or earlier, you must configure browsers to use TLS 1.2 (Tools > Internet Options > Advanced > Security).
Clients using IE embedded browsers (such as Microsoft Office 2016 thick clients) will operate correctly on systems with IE browsers configured to use TLS 1.2. Remember, because IE 10 is not configured with TLS 1.2 by default, an error will occur on clients with embedded IE 10 browsers unless they have been configured to use TLS 1.2.
Edge – All versions of Edge are pre-configured to use TLS 1.2.
Chrome, Firefox, and Safari – All recent versions of these browsers are pre-configured to use TLS 1.2.

Does the .NET Framework or addtional TLS 1.2 configuration in the registry need to be looked at?

TLS 1.2 is supported on .NET 4.6 and above. To determine the version of .NET installed on your system:

Open the registry using regedit.exe.
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
Note: The last number might be slightly different.

If that key is missing, .NET 4.6 is not installed.

Under that key, search for key SKUs and look under it for .NETFramework,Version=v4.6.
If the key is not present, .NET 4.6 is not present on the system.

The link to .NET 4.6.2 installer is: https://www.microsoft.com/en-us/download/details.aspx?id=53344.

To set TLS 1.2, edit the registry as follows:

Open the registry using regedit.exe.
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319.
Note: The last number might be slightly different.

Add SchUseStrongCrypto registry DWORD under .NET 4.0 registry option:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"AspNetEnforceViewStateMac"=dword:00000001
 "SchUseStrongCrypto"=dword:00000001
 
For more details please check the documentation regarding TLS 1.2 migration:
https://support.okta.com/help/Documentation/Knowledge_Article/Migrating-to-TLS-1-2
https://help.okta.com/en/prod/Content/Topics/Miscellaneous/okta-ends-browser-support-for-TLS-1.1.htm

Thank you,
Wayne KalseyWayne Kalsey
Hello Razvan, If the end user has a browser that is TLS 1.2 enabled such as Edge, recent versions of Chrome, FireFox, and TLS 1.2 enabled IE 11, but has a lower version of the .NET Framework such as 4.5.2, will they still be able to access the Okta site? Another way of asking, is it absolutely necessary to check the .NET Framework of users accessing Okta through a TLS 1.2 enabled browser? Thank you.
Eric TiptonEric Tipton
Would like some clarity here as well. Okta?