Error While Configuring WAP–”The Underlying Connection Was Closed”–Part 2

Last week I ran into an issue that was similar in behavior to something that I covered in another previous post. I am inclined to think that we will see more calls similar to this so I thought I would take some time to show you what the cause was and how to resolve it.

Problem

Running the configuration wizard on the WAP Server generates the following error:

“An error occurred when attempting to establish a trust relationship with the federation service. Error: The underlying connection was closed: An unexpected error occurred on a send.”

Figure 1 shows the error we see in the wizard.

image

Fig. 1

Data Gathering and Analysis

Checking the AD FS Admin event log on the WAP Server we see an Event ID 393 that corresponds to the time we received the error from the wizard (Figure 2).

 

image

Fig. 2

I also used Netmon 3.4 to capture a trace and see what was happening on the wire. Filtering the traffic for TCP traffic coming from the ADFS Server I can see the below behavior (Figure 3).

image

Fig. 3

As you can see there the TCP 3 way handshake sets up, there is a SSL/TLS Client Hello from the WAP Server and immediately the ADFS server resets the connection.

Since we have seen other issues that are caused by an incorrect SNI header that is the first place I checked. The SNI header value is fs.fabrikam.com (Figure 4).

image

Fig. 4

Back on the ADFS Server I run the command netsh http show ssl and verify that this is the correct value that is bound to port 443 (Figure 5).

image

Fig. 5

This issue was a little harder to diagnose than some of the previous ones we had seen. There was no corresponding event on the ADFS Server. We finally came to the conclusion that it was a protocol issue and found out that TLS 1.0 had been disabled on the WAP and ADFS Server. This has become a common practice because of some of the recent attacks such as Poodle.

Below is a summary of the values for the following key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

 

ADFS Server:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]

"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]

"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]

"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

"Enabled"=dword:00000000

WAP Server:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]

"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]

"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]

"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

"Enabled"=dword:00000000

As you can see TLS 1.0 Server and Client was disabled on both machines.

Resolution

In order to get this working again we had to enable TLS 1.0 on both the WAP and ADFS Server. In particular ADFS (Server) and WAP (Client) had to be enabled. We are likely to see this more often as companies become more aware of threats and attempt to lock down protocols on servers.

Update: We realized that some people may be hesitant to use TLS 1.0 so we did some additional testing. It turns out that this is an issue with .NET Framework 4 not using TLS 1.1 or 1.2. By adding a simple registry key to the WAP Server you can get this functioning with TLS 1.0 disabled and TLS 1.1 or 1.2 enabled.

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319

DWORD Value: SchUseStrongCrypto

Value: 1

Reboot the WAP Server after adding the key and you should be good to go.

Note: If the information contained here was useful please let me know in the comments below. Also, if there are any corrections needed or you would like to see future content on a particular subject please let me know that as well. Thanks!

Special thanks to Ian Parramore for this research and troubleshooting!

Comments

  • Anonymous
    June 22, 2015
    very interesting
    thanks
  • Anonymous
    August 24, 2015
    Nice very helpful
  • Anonymous
    January 26, 2016
    The comment has been removed
  • Anonymous
    March 17, 2016
    Hi Keith,Thanks for the great article. I am still experiencing problems I'm afraid. The SSL binding and FS name are identical. I also created the SchUseStrongCrypto Dword. I looked at the registry to see if TLS issues were there, but I cannot find any of the TLS subkeys that you mention. I only have SSL2.0 as a subkey with "Client" below it.Any ideas?Anthony.
  • Anonymous
    March 18, 2016
    The comment has been removed
  • Anonymous
    March 21, 2016
    My error said "An unexpected error occurred on a receive." instead of send, but TLS 1.0 was still the culprit. You win 10,000 internets!
  • Anonymous
    August 08, 2016
    Found this Article after 3 days of analysis... Thank you!
  • Anonymous
    March 27, 2017
    The comment has been removed
  • Anonymous
    June 07, 2017
    Great !Thanks, this reg key helped me also.
  • Anonymous
    August 15, 2017
    hey there....well, im having the same problem, yet for me, the only key i have under protocols is SSL 2.0\Client - nothing else, no tls, no nothing at all.should i just add all the keys you said under Protocols?
  • Anonymous
    August 23, 2017
    For us it did not work.
  • Anonymous
    September 12, 2017
    you beauty, just saved my day. Thanks a lot
  • Anonymous
    September 20, 2017
    Very helpful thanks. Worked for me on my hardened new 2016 servers.