SharePoint – Connecting MIM to SharePoint over HTTPS

Posted On October 15, 2019

Consider the following scenario:

• You set up Microsoft Identity Manager (MIM) 2016.
• You install the SharePoint Connector software and create a SharePoint Management Agent (MA).
• On the “Connectivity” page of the SharePoint MA, you attempt to create a connection to a SharePoint 2016 or 2019 farm using an HTTPS (SSL / TLS) address.
• The connection fails with error: “Unable to connect to SharePoint Web Services. The underlying connection was closed: An unexpected error occurred on a send.”

 

Troubleshooting:

First, start by testing general connectivity from the MIM server to the SharePoint user profile import / export web service (profileimportexportservice.asmx). You can do that by opening a browser on the MIM box and navigating to the SharePoint import / export web service. This is the same web service that MIM is trying to connect to when you click “ok” on the “Connectivity” page of the MA. Example web service URL: https://YourCentralAdminURL/_vti_bin/profileimportexportservice.asmx

 

This is what it should look like:

 

Make sure that you’re able to connect via a browser from the MIM server, and there are no certificate warnings or errors.

 

If that works, it’s likely that the TLS 1.0 protocol was disabled on the SharePoint server.

Your browser will typically use TLS 1.2, whereas MIM 2016 appears to use TLS 1.0 by default.

If you have security conscious SharePoint admins, they would have disabled TLS 1.0 on the SharePoint servers by following this article, in which case, any connections attempted using that protocol are rejected.

That should explain why a browser works, but MIM doesn’t when connecting to the same web service from the same box.

 

This is what that looks like in a network trace taken from the MIM server:

– After successfully establishing a TCP connection on port 443, the MIM server tries to initiate an SSL Handshake by sending a “Client Hello”.

– We can see here that it’s attempting to use the TLS 1.0 protocol:

The SharePoint server has been configured to reject TLS 1.0 connection attempts, so it simply sends a Reset packet. The connection fails, and MIM throws the “The underlying connection was closed: An unexpected error occurred on a send” error.

 

Making MIM and SharePoint agree on TLS version:

You could enable TLS 1.0 within the SChannel registry settings on the SharePoint server to force it to allow TLS 1.0 connections:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

“DisabledByDefault”=dword:00000000

“Enabled”=dword:00000001

…And that may even be worth trying temporarily just to verify it works, but TLS 1.0 has significant security vulnerabilities, so going forward, you’re going to want MIM to use TLS 1.2.

It appears that unlike SharePoint, MIM doesn’t really have a step-by-step guide for enabling TLS 1.1 and 1.2. However, since it’s really the Operating System and .NET Framework that you’re configuring for TLS, we can use parts of the SharePoint guidance on the MIM server.

 

Windows Server 2012 R2:

If the OS on your MIM server is 2012 R2, you will likely need to install some updates, including ODBC Driver, SQL Native Client, and .NET Framework updates.

1. On the MIM server, use Step 1.1 here to update the ODBC Driver to support TLS:

https://docs.microsoft.com/en-us/SharePoint/security-for-sharepoint-server/enable-tls-1-1-and-tls-1-2-support-in-sharepoint-server-2016#11—install-odbc-driver-11-for-sql-server-update-for-tls-12-support

 

2. On the MIM server, use Step 1.2 here to update the SQL Native Client to support TLS:

https://docs.microsoft.com/en-us/SharePoint/security-for-sharepoint-server/enable-tls-1-1-and-tls-1-2-support-in-sharepoint-server-2016#12—install-sql-server-2012-native-client-update-for-tls-12-support

 

3. Run through ALL of the SQL Server steps (Step 2) on the SQL server that hosts the MIM database:

https://docs.microsoft.com/en-us/SharePoint/security-for-sharepoint-server/enable-tls-1-1-and-tls-1-2-support-in-sharepoint-server-2016#step-2-update-your-microsoft-sql-servers-in-your-sharepoint-farm

Note: If you don’t do this, the Forefront Identity Manager service may not start because it cannot connect to the database.

 

4. On the MIM server, complete ALL of the steps (installing updates, making registry changes, etc) in Step 3 here:

https://docs.microsoft.com/en-us/SharePoint/security-for-sharepoint-server/enable-tls-1-1-and-tls-1-2-support-in-sharepoint-server-2016#step-3-update-your-client-computers-used-to-access-your-sharepoint-sites

Note: I know it says it’s for your client computers, but in this SharePoint connection scenario, MIM is the “client”. Trust me, you need to do this on the MIM server to get everything using TLS 1.2.

 

 

Windows Server 2016:

If the OS on your MIM server is 2016, much of this is already enabled by default, so you can use this set of steps:

1. On the MIM server, use Step 1.0 here to disable TLS 1.0:

https://docs.microsoft.com/en-us/SharePoint/security-for-sharepoint-server/enable-tls-1-1-and-tls-1-2-support-in-sharepoint-server-2019#10—disable-earlier-versions-of-tls-in-windows-schannel

 

2. Run through ALL of the SQL Server steps (Step 2) on the SQL server that hosts the MIM database:

https://docs.microsoft.com/en-us/SharePoint/security-for-sharepoint-server/enable-tls-1-1-and-tls-1-2-support-in-sharepoint-server-2016#step-2-update-your-microsoft-sql-servers-in-your-sharepoint-farm

Note: If you don’t do this, the Forefront Identity Manager service may not start because it cannot connect to the database.

 

3. On the MIM server, use Step 3.1 to enable TLS 1.2 in SChannel:

https://docs.microsoft.com/en-us/SharePoint/security-for-sharepoint-server/enable-tls-1-1-and-tls-1-2-support-in-sharepoint-server-2019#31—enable-tls-11-and-tls-12-in-windows-schannel

 

4. On the MIM server, use Step 3.4. to enable strong cryptography (SchUseStrongCrypto registry key) in .Net Framework 4.5:

https://docs.microsoft.com/en-us/SharePoint/security-for-sharepoint-server/enable-tls-1-1-and-tls-1-2-support-in-sharepoint-server-2019#34—enable-strong-cryptography-in-net-framework-45-or-higher

 

5. On the MIM server, use Step 3.5 to enable TLS 1.2 in .Net Framework 3.5:

https://docs.microsoft.com/en-us/SharePoint/security-for-sharepoint-server/enable-tls-1-1-and-tls-1-2-support-in-sharepoint-server-2019#35—install-net-framework-35-update-for-tls-11-and-tls-12-support

 

6. On the MIM server, use Step 3.6 to enable strong cryptography (SchUseStrongCrypto registry key) in .Net Framework 3.5:

https://docs.microsoft.com/en-us/SharePoint/security-for-sharepoint-server/enable-tls-1-1-and-tls-1-2-support-in-sharepoint-server-2019#36—enable-strong-cryptography-in-net-framework-35

 

A single reboot of the MIM server after making all of the above changes should suffice.

 

Now we should see that the MIM server offers TLS 1.2 on the SSL Client Hello. The SharePoint server responds with a “Server Hello” agreeing on TLS 1.2, and the connection succeeds.