Merge pull request #8828 from AmandaAZ/Branch-CI5501

Simonx Xu · web-flow · commit aa5f66238869 · 2025-05-09T16:34:21.000+08:00
AB#5501: Convert blog post to article
diff --git a/support/entra/entra-id/app-integration/application-using-tls-1dot0-1dot1-authentication-fail.md b/support/entra/entra-id/app-integration/application-using-tls-1dot0-1dot1-authentication-fail.md
@@ -0,0 +1,78 @@
+---
+title: Microsoft Entra Applications Using TLS 1.0/1.1 Fail to Authenticate
+description: Provides solutions to authentication errors that occur with Microsoft Entra applications using TLS version 1.0 or 1.1.
+ms.reviewer: bachoang, v-weizhu
+ms.service: entra-id
+ms.date: 05/09/2025
+ms.custom: sap:Developing or Registering apps with Microsoft identity platform
+---
+# Microsoft Entra applications using TLS 1.0/1.1 fail to authenticate
+
+This article provides solutions to authentication errors that occur with Microsoft Entra-integrated applications targeting versions earlier than Microsoft .NET Framework 4.7.
+
+## Symptoms
+
+Applications using an older version of the .NET Framework might encounter authentication failures with one of the following error messages:
+
+- > AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure AD
+
+- > IDX20804: Unable to retrieve document from: '[PII is hidden]'
+
+- > IDX20803: Unable to obtain configuration from: '[PII is hidden]'
+
+- > IDX10803: Unable to create to obtain configuration from: 'https://login.microsoftonline.com/{Tenant-ID}/.well-known/openid-configuration'
+
+- > IDX20807: Unable to retrieve document from: 'System.String'
+
+- > System.Net.Http.Headers.HttpResponseHeaders RequestMessage {Method: POST, RequestUri: '\<request-uri>', Version: 1.1, Content: System.Net.Http.FormUrlEncodedContent, Headers: { Content-Type: application/x-www-form-urlencoded Content-Length: 970 }} System.Net.Http.HttpRequestMessage StatusCode UpgradeRequired This service requires use of the TLS-1.2 protocol
+
+## Cause
+
+Starting January 31, 2022, Microsoft enforced the use of the TLS 1.2 protocol for client applications connecting to Microsoft Entra services on the Microsoft Identity Platform to ensure compliance with security and industry standards. For more information about this change, see [Enable support for TLS 1.2 in your environment for Microsoft Entra TLS 1.1 and 1.0 deprecation](../ad-dmn-services/enable-support-tls-environment.md) and [Act fast to secure your infrastructure by moving to TLS 1.2!](https://techcommunity.microsoft.com/blog/microsoft-entra-blog/act-fast-to-secure-your-infrastructure-by-moving-to-tls-1-2/2967457)
+
+Applications running on older platforms or using older .NET Framework versions might not have TLS 1.2 enabled. Therefore, they can't retrieve the OpenID Connect metadata document, resulting in failed authentication.
+
+## Solution 1: Upgrade the .NET Framework
+
+Upgrade the application to use .NET Framework 4.7 or later, where TLS 1.2 is enabled by default.
+
+## Solution 2: Enable TLS 1.2 programmatically
+
+If upgrading the .NET Framework isn't feasible, you can enable TLS 1.2 by adding the following code to the **Global.asax.cs** file in your application:
+
+```csharp
+using System.Net;
+
+protected void Application_Start()
+{
+ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Ssl3; // only allow TLS 1.2 and SSL 3
+// The rest of your startup code goes here
+}
+```
+
+## Solution 3: Change web.config to enable TLS 1.2
+
+If .NET Framework 4.7.2 is available, you can enable TLS 1.2 by adding the following configuration to the **web.config** file:
+
+```json
+<system.web>
+    <httpRuntime targetFramework="4.7.2" />
+</system.web>
+```
+
+> [!NOTE]
+> If using .NET Framework 4.7.2 causes breaking changes to your app, this solution might not work.
+
+## Solution 4: Enable TLS 1.2 before running PowerShell commands
+
+If you encounter the AADSTS1002016 error while running the PowerShell command `Connect-MSolService`, `Connect-AzureAD`, or `Connect-MSGraph` (from the Microsoft Intune PowerShell SDK module), set the security protocol to TLS 1.2 before executing the commands:
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+```
+
+## References
+
+[Transport Layer Security (TLS) best practices with .NET Framework](/dotnet/framework/network-programming/tls)
+
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]
diff --git a/support/entra/entra-id/toc.yml b/support/entra/entra-id/toc.yml
@@ -51,25 +51,26 @@
     items:
       - name: 401 Unauthorized errors in ASP.NET Core Web API
         href: app-integration/401-unauthorized-aspnet-core-web-api.md
-      - name: Cookies are disabled error in MSAL.Net XBAP application
-        href: app-integration/script-errors-running-msal-net-xbap-app.md
-      - name: IDX10501 Error in ASP.NET Core with Azure B2C Custom Policy
-        href: app-integration/troubleshoot-error-idx10501-aspnet-b2c.md
+      - name: Applications using TLS 1.0/1.1 fail to authenticate
+        href: app-integration/application-using-tls-1dot0-1dot1-authentication-fail.md
       - name: Authentication fails after Android app is published to Google Play Store
         href: app-integration/android-app-authentication-fails-after-published-to-google-play-store.md
-      - name: WIF10201 No valid key mapping found
-        href: app-integration/troubleshoot-wif10201-no-validkey-securitytoken-mvc.md
-      - name: Package Inspector for MSAL Android Native
-        href: app-integration/package-inspector-msal-android-native.md
+      - name: Cookies are disabled error in MSAL.Net XBAP application
+        href: app-integration/script-errors-running-msal-net-xbap-app.md
       - name: Enable MSAL4J logging in a Spring Boot web application
         href: app-integration/enable-msal4j-logging-spring-boot-webapp.md
-      - name: Repeated login prompts in iOS MSAL implementation
-        href: app-integration/repeat-login-prompts-in-msal-ios-app.md
       - name: Error AADSTS7000218 - Invalid client
         href: app-integration/confidential-client-application-authentication-error-aadsts7000218.md
+      - name: IDX10501 Error in ASP.NET Core with Azure B2C Custom Policy
+        href: app-integration/troubleshoot-error-idx10501-aspnet-b2c.md
       - name: Infinite sign-in loop issue with ASP.NET applications
         href: app-integration/asp-dot-net-application-infinite-sign-in-loop.md
-        
+      - name: Package Inspector for MSAL Android Native
+        href: app-integration/package-inspector-msal-android-native.md
+      - name: Repeated login prompts in iOS MSAL implementation
+        href: app-integration/repeat-login-prompts-in-msal-ios-app.md
+      - name: WIF10201 No valid key mapping found
+        href: app-integration/troubleshoot-wif10201-no-validkey-securitytoken-mvc.md
 
   - name: Troubleshoot adding apps
     href: app-integration/troubleshoot-adding-apps.md
