A month ago, I was trying to implement a hybrid solution for a client, and in one of the processes, we were calling a Logic App through the Logic App Adapter available in the BizTalk Server. This is a fairly easy implementation since BizTalk Server 2020 provides amazing ways to implement hybrid solutions and expand BizTalk Server to its native out-of-the-box features.
However, when I tried this interface for the first time, I got the following error:
System.ServiceModel.Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority ‘prod-xxx.northeurope.logic.azure.com’. —> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
This was the first hybrid implementation using the Logic App adapter in this environment.
📝 One-Minute Brief
When using the BizTalk Server Logic App adapter, you may encounter the error “Could not establish a secure channel for SSL/TLS with authority” while attempting to connect to Azure Logic Apps. This article explains why this TLS error occurs, focusing on certificate validation and protocol mismatches between BizTalk Server and Azure endpoints. It also highlights how outdated TLS settings or missing certificates can prevent secure communication and how to resolve the issue correctly.
Cause
BizTalk Server can use the Logic Apps adapter to receive messages from or send messages to an Azure Logic App. However, to use this adapter, we must configure TLS 1.2 as the default security protocol on the BizTalk Server. Which is not set up by default.
The good news is that since BizTalk Server 2013 CU7, TLS 1.2 is fully supported in versions of BizTalk Server.
Solution
Of course, the solution to this problem is to enable TLS 1.2.
To enable the TLS 1.2 protocol, create an Enabled entry in either the Client or Server subkey. This entry does not exist in the registry by default.
To make TLS 1.2 the default security protocol, you must manually make some registry changes. You can do that by adding the below DWORD values in our registry:
- On the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
- Create the following DWORD (32-bit):
- Name: DisabledByDefault
- Value Data: 0
- Create the following DWORD (32-bit):
- On the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
- Create the following DWORD (32-bit):
- Name: DisabledByDefault
- Value Data: 0
- Name: Enabled
- Value Data: 1
- Create the following DWORD (32-bit):
- On the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319]
- Create the following DWORD (32-bit):
- Name: SchUseStrongCrypto
- Value Data: 1
- Create the following DWORD (32-bit):
- On the [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319]
- Create the following DWORD (32-bit):
- Name: SchUseStrongCrypto
- Value Data: 1
- Create the following DWORD (32-bit):
You can also accomplish that by using the following PowerShell script:
I hope you find this helpful! If you liked the content or found it useful and want to help me write more, you can buy (or help me buy) my son a Star Wars Lego!
