Error While Configuring WAP–”The Underlying Connection Was Closed”–Part 2


Last week I ran into an issue that was similar in behavior to something that I covered in another previous post. I am inclined to think that we will see more calls similar to this so I thought I would take some time to show you what the cause was and how to resolve it.

Problem

Running the configuration wizard on the WAP Server generates the following error:

“An error occurred when attempting to establish a trust relationship with the federation service. Error: The underlying connection was closed: An unexpected error occurred on a send.”

Figure 1 shows the error we see in the wizard.

image

Fig. 1

Data Gathering and Analysis

Checking the AD FS Admin event log on the WAP Server we see an Event ID 393 that corresponds to the time we received the error from the wizard (Figure 2).

 

image

Fig. 2

I also used Netmon 3.4 to capture a trace and see what was happening on the wire. Filtering the traffic for TCP traffic coming from the ADFS Server I can see the below behavior (Figure 3).

image

Fig. 3

As you can see there the TCP 3 way handshake sets up, there is a SSL/TLS Client Hello from the WAP Server and immediately the ADFS server resets the connection.

Since we have seen other issues that are caused by an incorrect SNI header that is the first place I checked. The SNI header value is fs.fabrikam.com (Figure 4).

image

Fig. 4

Back on the ADFS Server I run the command netsh http show ssl and verify that this is the correct value that is bound to port 443 (Figure 5).

image

Fig. 5

This issue was a little harder to diagnose than some of the previous ones we had seen. There was no corresponding event on the ADFS Server. We finally came to the conclusion that it was a protocol issue and found out that TLS 1.0 had been disabled on the WAP and ADFS Server. This has become a common practice because of some of the recent attacks such as Poodle.

Below is a summary of the values for the following key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

 

ADFS Server:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]

"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]

"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]

"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

"Enabled"=dword:00000000

WAP Server:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]

"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]

"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]

"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

"Enabled"=dword:00000000

As you can see TLS 1.0 Server and Client was disabled on both machines.

Resolution

In order to get this working again we had to enable TLS 1.0 on both the WAP and ADFS Server. In particular ADFS (Server) and WAP (Client) had to be enabled. We are likely to see this more often as companies become more aware of threats and attempt to lock down protocols on servers.

Update:We realized that some people may be hesitant to use TLS 1.0 so we did some additional testing. It turns out that this is an issue with .NET Framework 4 not using TLS 1.1 or 1.2. By adding a simple registry key to the WAP Server you can get this functioning with TLS 1.0 disabled and TLS 1.1 or 1.2 enabled.

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319

DWORD Value: SchUseStrongCrypto

Value: 1

Reboot the WAP Server after adding the key and you should be good to go.

Note: If the information contained here was useful please let me know in the comments below. Also, if there are any corrections needed or you would like to see future content on a particular subject please let me know that as well. Thanks!


Special thanks to Ian Parramore for this research and troubleshooting!


Comments (8)

  1. turbomcp says:

    very interesting
    thanks

  2. Rich H says:

    Nice very helpful

  3. Kyle says:

    Wow I wish I would have found this sooner. I banged my head against this issue for so long. I even found your earlier post, but it didn’t apply to me, this one didn’t pop up until I had already figured out TLS1.0 was the issue and started searching on
    how to make it work without it. Thanks for these posts!

  4. Anthony says:

    Hi Keith,

    Thanks for the great article. I am still experiencing problems I’m afraid. The SSL binding and FS name are identical. I also created the SchUseStrongCrypto Dword.

    I looked at the registry to see if TLS issues were there, but I cannot find any of the TLS subkeys that you mention. I only have SSL2.0 as a subkey with “Client” below it.

    Any ideas?
    Anthony.

  5. Anthony says:

    Keith,

    Seems I have found the problem. One of my WAP servers had a corrupt VMWare NIC, re-adding this NIC solved that problem. After that I ran a Wireshark and I saw that the wizard was connecting to a DNS server in DMZ, instead of the Load Balancer VIP. Apparently the customer added a proxy to the Internet Explorer config. Removing this proxy solved the problem!

    I hope that this can be helpful for other “frustrated” WAP installers :d.

  6. DubaStep says:

    My error said “An unexpected error occurred on a receive.” instead of send, but TLS 1.0 was still the culprit. You win 10,000 internets!

  7. Tobias says:

    Found this Article after 3 days of analysis…
    Thank you!

  8. Gixnic says:

    I was banging my head for a week trying to figure this out, you saved my ass! BTW, I applied the registry DWORD, rebooted the WAP server and it worked right after that.

Skip to main content