Monday, 16 October 2023

Certificate Connector for Microsoft Intune - Could not create SSL/TLS secure channel

We have the Certificate Connector for Microsoft Intune (v6.2301.1.0) installed on a Server 2019 box and were hitting errors in the CertificateConnector Operational event logs for the PKI Revoke Service and the PKI Create Service looking like this:

Error 5001 - HealthMessageUploadFailedAttempt

Pki Revoke Service:
Failed to upload health messages. Requeuing messages
System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---

Error 3003 - RevokeDownloadFailure

Pki Revoke Service:
Failed to download Revocation requests.
ActivityId: xxxx
System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---

Error 2 - Exception

Pki Create Service:
Microsoft.Intune.Connectors.Pki.AgentRenewalProcessor.Process threw an exception.
System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---

After a bit of time with our GPO's to see what might have been the cause and Wireshark'ing packets, it came down to a setting enabling the TLSv1.3 protocol in the registry in one GPO. While it's not supported in this version of the OS, but the following was set as a catch for one day when it might be:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]

"Enabled"=dword:00000001

"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]

"Enabled"=dword:00000000

"DisabledByDefault"=dword:00000001

Delete those 4 lines from either the GPO or the registry and the PKI Revoke service will it start downloading and uploading correctly. I can only assume that the app was written to try TLSv1.3 if it is mentioned in the registry and it will fail (at this time). Perhaps one day when TLSv1.3 is supported in Server 2019, it might work properly. Hope this helps someone else out there.


No comments:

Post a Comment