How to enable TLS 1.2 on ADFS – Windows Server 2012 R2 in Zoom App

This post was most recently updated on July 28th, 2022

How to Enable TLS 1.2 on ADFS – Windows Server 2012 R2

From August 2019, Zoom will cease to support the Transport Layer Security (TLS) 1.0 and 1.1 protocols as well as disable the use of them. We have now moved to using TLS 1.2+ for our web services. In light of this change, ADFS users with TLS 1.1 and below will not be able to download single sign-on metadata because they will be unable to download our SAML metadata:

Zoom’s Service Provider Entity status will continue to function as intended until an organization that still uses TLS 1.1 or lower, enables TLS 1.2 to be able to use Zoom.

Prerequisites for enabling TLS 1.2 on an ADFS Server (Windows Server 2021 R2)

  • In order for ADFS to function properly, the ADFS server must have a .NET Framework version greater than 4.6.2:
    • Checking the .NET Framework version
    • by downloading the .NET Framework
  • Microsoft requires at least version 6.3.9600.17031 of the Hardware Abstraction Layer (HAL) for Windows Server 2012

Instructions

  1. Use the “Run as administrator” option to launch Windows PowerShell
  2. In order for your ADFS client to be able to run TLS 1.2, run the following commands:
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
    New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
    New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
    Write-Host 'TLS 1.2 has been enabled.'
  3. To enable Strong Authentication, you need to run the following commands:
    New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null
  4. The following commands can be used to disable SSL 3.0 on the ADFS client if you want to do it.
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force | Out-Null
    New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
    New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
    Write-Host 'SSL 3.0 has been disabled.'
  5. The solution is to close all management windows of the ADFS server, then reopen the management console, and then try to import the metadata again.