Tuesday, 5 December 2017

ADFS 2016 and TLS 1.2 - The underlying connection was closed: An expected error occurred on a receive

Just recently I have encountered a problem when trying to federate domain between Azure Active Directory and on-premises ADFS 2016. When running Azure AD Connect wizard you receive an error that it is not possible to convert domain to Federated. If you try to manually run Convert-MsolDomainToFederated from Azure AD Connect machine you receive this error message:

"The underlying connection was closed: An expected error occurred on a receive."

The issue happens if you have turned off TLS 1.0 on your ADFS servers. After you reenable TLS 1.0, configuration wizard runs smoothly. However, if your TLS 1.0 must be turned off because you are working in a highly secure financial institution, you probably followed the steps in this article on how to turn on TLS 1.2 on ADFS 2016 servers:

Managing SSL/TLS Protocols and Cipher Suites for AD FS
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs

The problem is that if you turn on TLS 1.2 on ADFS servers, you also need to turn it on on Azure AD Connect:

Enable TLS 1.2 for Azure AD Connect
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites#enable-tls-12-for-azure-ad-connect

You can just follow the step to edit the registry setting on Azure AD Connect machine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 "SchUseStrongCrypto"=dword:00000001

But the idea is to have a secure environment using only TLS 1.2.

Similar issue can occur between your WAP server and ADFS and here is an article on how to solve it:

Error While Configuring WAP–The Underlying Connection Was Closed
https://blogs.technet.microsoft.com/keithab/2015/04/13/error-while-configuring-wapthe-underlying-connection-was-closed/

No comments:

Post a Comment