A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about Force Remote IIS Manager to connect through TLS 1.2 was one problem in server stack that need for a solution. Below are some tips in manage your windows server when you find problem about windows, ssl, iis, windows-server-2019, .
I’ve setup a new IIS 10 on Windows Server 2019 Core 1809 (ltsc).
I have setup the
wmsvc service and confirmed that it is working. I was able to connect from a Remote Administration Server (Windows Server 2019) to the IIS Server via the IIS Manager through the
wmsvc port, and the developers were able to use
WebDeploy, which also uses
wmsvc, from their Windows 10 Machines.
I used the following command on my IIS:
IISCryptoCli.exe /backup BackupCrypto.reg /template strict /reboot
Why did I use the
strict template instead of the
best template? Because it is the only one that disables the deprecated TLS 1.0 and TLS 1.1
Now the thing is – since then I can not connect to my IIS Manager from a RemoteServer, and neither can the Developers use
WebDeploy anymore. We always get the following error when trying to connect:
The underlying connection was closed: An unexpected error occurred on
I found the following site which describes the problem, and it says I have to add the following registry keys to to the remote machines that want to connect, to force a TLS 1.2 protocol:
which I did and then rebooted the machines, however – still no luck.
I then used
IISCrypto to set the TLS protocol to
best on my Remote Administration Servers and rebooted them – still not working.
after that I set my IIS to the
best template which reenabled TLS 1.0 and TLS 1.1 and rebooted my IIS – still not working.
What else can I do? How can I have only TLS 1.2 enabled, and still have a working IIS Remote Management through
I am starting to think that the TLS change was not the fault.
I reverted the following back:
- I reset IIS completely by uninstalling
Web-ServerFeature, I basically have a completely clean IIS (I can confirm that because
applicationhost.configis reset to the default state, after I reinstalled
Web-Server.) Also the
WMSVCgot completely reset during this operation
- I uninstalled basically every program (including all .net core bundles, WebDeploy etc.)
- I also set all TLS stuff back to default.
still the problem persists. I find a lot of stuff on the internet where people have the same problem, but no solution… hmmm..
I set up a new IIS now, and made a backup basically between every step.
It’s really as soon as I set the
strict template of
IISCrypto, that everything breaks. As soon as I implement the Default Registry entries, everything works again.
… And now all of a sudden, it works when I use
SchUseStrongCrypto in the two registry Keys. Strange. But anyhow I’m happy now. Looks like on my first IIS something messed up something in the registry that never got recovered.
I have two 2019 servers here with IIS installed. The server A has the management service installed. On Server B I can use IIS Manager to connect to server A with the default Windows TLS settings.
I changed the TLS settings on server A using the IIS Crypt GUI to the following:
As you can see, only TLS 1.2 is enabled, all cipher suites are enabled but some could be disabled as well.
I am still able to connect from server B to server A.
I haven’t tried