Okta ends browser support for TLS 1.1

At Okta, we know that our dependable service is integral to the important work you're doing. Ensuring the security of your environment is a top priority. On February 13, 2018, we informed you of Okta's plan to align to industry standard best practices and make infrastructure changes to our support of Transport Layer Security (TLS). Specifically, effective August 1, 2018, Okta will only support TLS 1.2 connections and will stop support of TLS 1.0 and 1.1 due to security vulnerabilities.

This article describes the changes you may need to make for Microsoft Internet Explorer browsers in your organization. For TLS 1.2-related information on all Okta products and agents, as well as the schedule, see Migrating to TLS 1.2.

How this might affect your org

ClosedBrowser versions

  • Most vulnerable: Internet Explorer 10 is set by default to use TLS 1.1. To keep using IE 10 (and embedded browsers on systems running IE 10) with Okta, you must ensure that browsers are configured to use TLS 1.2 (Tools > Internet Options > Advanced > Security). You can use a management tool such as Group Policy Object (GPO) to update IE options on multiple workstations throughout your enterprise. For details, see Update IE on multiple workstations below. ClosedScreenshot

  • Internet Explorer 11 is set by default to use TLS 1.2. If you change your IE 11 browsers to use TLS 1.1 or earlier, you must configure browsers to use TLS 1.2 (Tools > Internet Options > Advanced > Security).
  • Clients using IE embedded browsers (such as Microsoft Office 2016 thick clients) will operate correctly on systems with IE browsers configured to use TLS 1.2. Remember, because IE 10 is not configured with TLS 1.2 by default, an error will occur on clients with embedded IE 10 browsers unless they have been configured to use TLS 1.2.
  • Edge – All versions of Edge are pre-configured to use TLS 1.2.
  • Chrome, Firefox, and Safari – All recent versions of these browsers are pre-configured to use TLS 1.2.

ClosedUpdate Windows registry if you disabled TLS 1.2 through the registry

You must update your Windows registry only if you disabled TLS 1.2 through the registry. If this applies to workstations in your org, update the registry with the following values to ensure your end users retain access to Okta and Okta-managed apps

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000

ClosedUpdate IE on multiple workstations

If appropriate for your environment, you can use a third-party management tool such as GPO to update IE options on multiple workstations throughout your enterprise.

(From a procedure entitled Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy in this Microsoft article):

  1. Open Group Policy Management.
  2. In the Group Policy Management Editor, browse to the following setting:

    3. Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page > Turn off encryption support

  3. Double-click the Turn off Encryption Support setting to edit the setting.
  4. Click Enabled. ClosedScreenshot

  1. In the Options window, change the Secure Protocol combinations setting to an appropriate setting that enables TLS 1.2 such as Use TLS 1.0, TLS 1.1, and TLS 1.2.

    2. Note: It is important to check consecutive versions. Not selecting consecutive versions (for example, checking TLS 1.0 and 1.2 but not checking 1.1) could result in connection errors.

  2. Click OK.

ClosedEnable TLS 1.2 on .NET

TLS 1.2 is supported on .NET 4.6 and above. To determine the version of .NET installed on your system:

  1. Open the registry using regedit.exe.
  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319

    Note: The last number might be slightly different.

    If that key is missing, .NET 4.6 is not installed.

  3. Under that key, search for key SKUs and look under it for .NETFramework,Version=v4.6.

    If the key is not present, .NET 4.6 is not present on the system.

The link to .NET 4.6.2 installer is: https://www.microsoft.com/en-us/download/details.aspx?id=53344.

To set TLS 1.2, edit the registry as follows:

  1. Open the registry using regedit.exe.
  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319.

    Note: The last number might be slightly different.

  3. Add SchUseStrongCrypto registry DWORD under .NET 4.0 registry option, as shown below.

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
    "AspNetEnforceViewStateMac"=dword:00000001
                        "SchUseStrongCrypto"=dword:00000001

Note: If you are using ADFS, you must restart the service after enabling TLS 1.2 on .NET.