This article applies to:
Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
Exchange 2013, Exchange 2016
You experience connectivity issues in Outlook or 3rd party applications when connecting to your Exchange server.
In Windows System Event Log on the Exchange server machine, you see the Schannel error 36784 with the following message:
An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed.
TLS encryption protocol is not enabled on your Windows Server. This may cause applications connecting via HTTPS protocol and TLS encryption to fail on connection.
You can easily determine which protocols are enabled by having a look at the following registry key:
In the following example you will see that TLS is not enabled (only SSL2.0)
Enable TLS support on your Windows Server.
This is done by editing Windows Registry keys. However, for an average Windows administrator this is fairly complex and time consuming task. Reason: beside enabling TLS protocol itself, you need to know which combination of encryption ciphers, hashes and key exchanges need to be enabled as well. This gives a lot of possible combinations, plus you need to know which older protocols need to be turned off in order to be compliant with the best practices. And then you would need to configure all of those via registry keys.
To save you this pain, I recommend using a free utility named IIS Crypto 2.0 from Nartac Software. This tool will allow you to quickly configure TLS settings according to Microsoft Best Practices with a press of a button. In addition, the IIS Crypto Tool also allows you to define your own configuration templates. This comes very handy if you have to configure those settings on many servers.
To enable TLS:
1.Start the tool and click on the Best Practices button which will present you with options similar to this one:
2. Select Apply.
3. Reboot the server for configuration changes to become effective.
The tool will disable support for older encryption technologies. This is a good security practice, however if you still have some legacy applications in your organization that require older SSL protocols, make sure that those are selected as well. Otherwise you might cut off such legacy applications.