This article applies to:
Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
Exchange 2013, Exchange 2016
PROBLEM
You experience connectivity issues in Outlook or 3rd party applications when connecting to your Exchange server.
In Windows System Event Log on the Exchange server machine, you see the Schannel error 36784 with the following message:
An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed.
CAUSE
TLS encryption protocol is not enabled on your Windows Server. This may cause applications connecting via HTTPS protocol and TLS encryption to fail on connection.
You can easily determine which protocols are enabled by having a look at the following registry key:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
In the following example you will see that TLS is not enabled (only SSL2.0)
SOLUTION
Enable TLS support on your Windows Server.
This is done by editing Windows Registry keys. However, for an average Windows administrator this is fairly complex and time consuming task. Reason: beside enabling TLS protocol itself, you need to know which combination of encryption ciphers, hashes and key exchanges need to be enabled as well. This gives a lot of possible combinations, plus you need to know which older protocols need to be turned off in order to be compliant with the best practices. And then you would need to configure all of those via registry keys.
To save you this pain, I recommend using a free utility named IIS Crypto 2.0 from Nartac Software. This tool will allow you to quickly configure TLS settings according to Microsoft Best Practices with a press of a button. In addition, the IIS Crypto Tool also allows you to define your own configuration templates. This comes very handy if you have to configure those settings on many servers.
To enable TLS:
1.Start the tool and click on the Best Practices button which will present you with options similar to this one:
2. Select Apply.
3. Reboot the server for configuration changes to become effective.
Important note:
The tool will disable support for older encryption technologies. This is a good security practice, however if you still have some legacy applications in your organization that require older SSL protocols, make sure that those are selected as well. Otherwise you might cut off such legacy applications.
He lives in Zurich, Switzerland and is a dedicated specialist, with 30 years of professional work experience in IT.
Before starting Exchangemaster GmbH he worked as a system engineer and project manager with customers of all sizes and across many industries: From small ISV startups and a NGO humanitarian organizations up to largest international corporations like Stryker, Swisscom, British Telecom and Nyrstar.
He spent his entire career delivering Microsoft based infrastructure solutions with main focus on Active Directory and Exchange. During those years, he collected a valuable work experience on 8 Exchange generations (2019, 2016, 2013, 2010, 2007, 2003, 2000 and 5.5) and has delivered services to a user base of more than 3.2 million mailboxes in on-premise, hybrid and Office 365 deployments.
Beside working on customer projects, he is a regular speaker and expert at Microsoft conferences and user groups. As a Microsoft Certified Trainer he also teaches Microsoft Official Curriculum courses to technical professionals around Europe.
For his work he has received numerous awards.
In 2005 he was the first member to be elected into the MCP Hall of Fame by Windows IT Pro Magazine readers choice (as 1 of 6 worldwide).
From 2005-2017, Dejan has been awarded by Microsoft Corporation with the yearly Microsoft Most Valuable Professional award in area of Exchange for 12 years in a row (one of approximately 100 worldwide and, at the time, the only 1 such in Switzerland).
- FAQ 000181 – How to enable mailbox auditing using PowerShell - August 1, 2023
- FAQ 000180 – How to set Microsoft Teams Room Device to use internal NTP server - December 15, 2021
- FAQ 000178 – How to change the sender and reply E-mail address in Microsoft Bookings - January 11, 2021
The above suggested package will not load into WS2016.
Hello Donald,
Don’t forget to start it with the “Run as Administrator” option.
Thank you very much for this article Dejan, it saved me a lot of time.
Kind regards,
Arif
Thank you. This solution saved me a lot of time.