Windows: "The request was aborted: Could not create SSL/TLS secure channel"

I recently had a problem on an Office Web App Server (Windows Server 2012 R2). To show a document in Web View, it had to fetch it from another server via HTTPS. This failed.

The ULS log showed:

"The request was aborted: Could not create SSL/TLS secure channel"

When I used Internet Explorer from the Office Web App Server, I could connect to the other server via HTTPS no problem. So the certificate was not the problem, it was trusted on the Office Web App Server.

After hours of searching, I found that IIS (and with that .NET and also Powershell) uses different TLS settings than Internet Explorer.

I tried the PowerShell command

Invoke-WebRequest 'https://myserver.example.com'

and got the same error message. When I typed

[System.Net.ServicePointManager]::SecurityProtocol

I got this:

Ssl3, Tls

As these are outdated and vulnerable protocols, you have to enable those and add TLS 1.1 and 1.2

The easiest is to add the following Registry setting:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319

SchUseStrongCrypto = 1 (Type = DWord)

If you start a new PowerShell session and use the command from above, you will see the new protocols:

Tls, Tls11, Tls12

I restarted IIS, and now Office Web App could access the other server via HTTPS.

 

 

4 thoughts on “Windows: "The request was aborted: Could not create SSL/TLS secure channel"”

  1. Thank you! This happened on a 2016 virt machine. I had tried various measures (removing the NIC, adding a new one; switching virtual switches, dhcp, etc etc). Whew, I'm smiling now. Thanks again.

  2. I had the same error trying to install SQL Server Express on Windows Server 2012 and 2016. The answer was (as above) to enable TLS 1, 1.1 and 2. You have to find them in the registry (easy to find where they are with a google search) and switch DisabledByDefault from 1 to 0 and also Enabled from 0 to 1 in the Client Key of each (I had to create both for tls 2.0).

Leave a Reply to Its Mike Cancel reply

Your email address will not be published. Required fields are marked *