Force Remote IIS Manager to connect through TLS 1.2

Question

I've setup a new IIS 10 on Windows Server 2019 Core 1809 (ltsc).

I have setup the wmsvc service and confirmed that it is working. I was able to connect from a Remote Administration Server (Windows Server 2019) to the IIS Server via the IIS Manager through the wmsvc port, and the developers were able to use WebDeploy, which also uses wmsvc, from their Windows 10 Machines.

I then went on to harden my Server according to the Qualys SSL guidelines. To get a very good score on cipher suites etc. I used IISCryptoCli

I used the following command on my IIS:

IISCryptoCli.exe /backup BackupCrypto.reg /template strict /reboot

Why did I use the strict template instead of the best template? Because it is the only one that disables the deprecated TLS 1.0 and TLS 1.1

Now the thing is - since then I can not connect to my IIS Manager from a RemoteServer, and neither can the Developers use WebDeploy anymore. We always get the following error when trying to connect:

The underlying connection was closed: An unexpected error occurred on a send.

I found the following site which describes the problem, and it says I have to add the following registry keys to to the remote machines that want to connect, to force a TLS 1.2 protocol:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]"SchUseStrongCrypto"=dword:00000001
• [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]"SchUseStrongCrypto"=dword:00000001

which I did and then rebooted the machines, however - still no luck.

I then used IISCrypto to set the TLS protocol to best on my Remote Administration Servers and rebooted them - still not working.

after that I set my IIS to the best template which reenabled TLS 1.0 and TLS 1.1 and rebooted my IIS - still not working.

What else can I do? How can I have only TLS 1.2 enabled, and still have a working IIS Remote Management through wmsvc?

Update:

I am starting to think that the TLS change was not the fault.

I reverted the following back:

• I reset IIS completely by uninstalling WAS and Web-Server Feature, I basically have a completely clean IIS (I can confirm that because administration.config and applicationhost.config is reset to the default state, after I reinstalled WAS and Web-Server.) Also the WMSVC got completely reset during this operation
• I uninstalled basically every program (including all .net core bundles, WebDeploy etc.)
• I also set all TLS stuff back to default.

still the problem persists. I find a lot of stuff on the internet where people have the same problem, but no solution... hmmm..

Update 2:

I set up a new IIS now, and made a backup basically between every step. It's really as soon as I set the strict template of IISCrypto, that everything breaks. As soon as I implement the Default Registry entries, everything works again.

... And now all of a sudden, it works when I use SchUseStrongCrypto in the two registry Keys. Strange. But anyhow I'm happy now. Looks like on my first IIS something messed up something in the registry that never got recovered.

Answer 1

I have two 2019 servers here with IIS installed. The server A has the management service installed. On Server B I can use IIS Manager to connect to server A with the default Windows TLS settings.

I changed the TLS settings on server A using the IIS Crypt GUI to the following:

As you can see, only TLS 1.2 is enabled, all cipher suites are enabled but some could be disabled as well.

I am still able to connect from server B to server A.

I haven't tried WebDeploy

Answer 2

I had to remove the web management role, reboot and re-add it. Enable the remote management registry key and do the WINRM service startup and set it to automatic.

I am thinking that if you install the web management service while the depricated TLS is still enabled, it locks into that and won't let go.

I have no issues if I set my servers to TLS 1.2 only, reboot and then install the web managemnt role.