BizTalk Server Logic App Adapter: Could not establish secure channel for SSL/TLS with authority

Posted: July 4, 2024  |  Categories: Adapters BizTalk Logic Apps
Tags: BizTalk BizTalk Server Errors and Warnings Causes and Solutions Logic Apps PowerShell TLS

A month ago, I was trying to implement a hybrid solution for a client, and in one of the processes, we were calling a Logic App through the Logic App Adapter available in the BizTalk Server. This is a fairly easy implementation since BizTalk Server 2020 provides amazing ways to implement hybrid solutions and expand BizTalk Server to its native out-of-the-box features.

However, when I tried for the first time this interface, I got the following error:

System.ServiceModel.Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority ‘prod-xxx.northeurope.logic.azure.com’. —> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.

This was the first hybrid implementation using the Logic App adapter in this environment.

Cause

BizTalk Server can use the Logic Apps adapter to receive messages from or send messages to an Azure Logic App. However, to use this adapter, we must configure TLS 1.2 as the default security protocol on the BizTalk Server. Which is not set up by default.

The good news is that since BizTalk Server 2013 CU7, TLS 1.2 is fully supported in versions of BizTalk Server.

Solution

Of course, the solution to this problem is to enable TLS 1.2.

To enable the TLS 1.2 protocol, create an Enabled entry in either the Client or Server subkey. This entry does not exist in the registry by default.

To make TLS 1.2 the default security protocol, you must manually make some registry changes. You can do that by adding the below DWORD values in our registry:

  • On the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    • Create the following DWORD (32-bit):
      • Name: DisabledByDefault
      • Value Data: 0
  • On the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
    • Create the following DWORD (32-bit):
      • Name: DisabledByDefault
      • Value Data: 0
      • Name: Enabled
      • Value Data: 1
  • On the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319]
    • Create the following DWORD (32-bit):
      • Name: SchUseStrongCrypto
      • Value Data: 1
  • On the [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319]
    • Create the following DWORD (32-bit):
      • Name: SchUseStrongCrypto
      • Value Data: 1

You can also accomplish that by using the following PowerShell script:

I hope you find this helpful! If you liked the content or found it useful and want to help me write more, you can buy (or help me buy) my son a Star Wars Lego! 

Author: Sandro Pereira

Sandro Pereira lives in Portugal and works as a consultant at DevScope. In the past years, he has been working on implementing Integration scenarios both on-premises and cloud for various clients, each with different scenarios from a technical point of view, size, and criticality, using Microsoft Azure, Microsoft BizTalk Server and different technologies like AS2, EDI, RosettaNet, SAP, TIBCO etc. He is a regular blogger, international speaker, and technical reviewer of several BizTalk books all focused on Integration. He is also the author of the book “BizTalk Mapping Patterns & Best Practices”. He has been awarded MVP since 2011 for his contributions to the integration community.

Leave a Reply

Your email address will not be published. Required fields are marked *

turbo360

Get integration tips every day. Follow us on:

Back to Top