ADFS stop working

Question

So I tried to secure our domain controllers with a narrowed list of Ciphers and now the Office 365 ADFS is broken for Chrome and Firefox. I need some help trying to figure out how to put it back. I used a GPO to narrow the list and I have unlinked that GPO from the OU and still the problem persists.

Does anyone have any ideas?

Here is the list of Ciphers I narrowed it down to...

TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_NULL_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521

We are also getting a lot of TLS 1.0, 1.2 errors in the event log. — Brill, Mar 20 '19 at 15:23
Somehow magically the external access to our federation page works... Still looking at internal reason. — Brill, Mar 20 '19 at 18:14
The internal I found that the IISCrypto help me see some Cipher suites were not enabled. So I enabled all of them and it works. I guess I will disable one at a time to find out which ones I need. — Brill, Mar 21 '19 at 12:13
Maybe try applying the Server Defaults template or use the Best Practices button. — joeqwerty, Mar 21 '19 at 12:42

score 0 · Answer 1 · answered Mar 20 '19 at 20:54

Make sure the GPO is not being applied to the ADFS servers by opening group policy management and right clicking on the group policy results at the bottom, select group policy results wizard, select the server and the user you wish to get the report for. If the GPO is still being applied, force a gpupdate. You might also need to reboot the ADFS servers. I'm assuming your ADFS is using one of the ciphers you disabled. You can change these in the registry on the server themselves if you like. Here is a list of what you need to know.

I did this already which is why I was frustrated and posted. — Brill, Mar 22 '19 at 14:06

ADFS stop working

1 Answers1