Cipher Suites Renamed in Windows Server 2016

After testing IIS Crypto 2.0 we ran into an issue with soon to be released Windows Server 2016. All of the Qualys SSL scans were not recognizing the order of the cipher suites configured by IIS Crypto. It turns out that Microsoft quietly renamed most of their cipher suites dropping the curve (_P521, _P384, _P256) from them. This reduced most suites from three down to one. However, this threw us a bit of a curve ball as now IIS Crypto's configuration and all of the templates needed to support OS version checking. We added this in one of the beta versions, retested and sure enough the scans were now showing the correct cipher suite order.

Comments (9) -

By Metehan Bolat | April 25, 2018 - 01:10

Hey, I guess at later or updated versions of Windows Server 2016, GUI throws exceptions that can only be seen by Event Viewer,
Something about KERNELBASE.DLL and System.InvalidCastException
It can be about checking the OS version. We have been using this tool in Windows Server 2012 and saved us a big time.
Any other people having the same issue? I can share more details upon request.

By R S | May 17, 2018 - 04:05

Yes, getting the same error with recently provisioned Windows Server 2016 VMs in Azure.

By Debjit Das | May 24, 2018 - 03:44

IIS Crypto 2.0 crashing with recently provisioned Windows Server 2016 VMs in Azure and throwing some exception about “KERNELBASE.DLL and System.InvalidCastException” .

We can see same issue already posted on your BLOG recently regarding Azure hosted VM’s.

Much appreciate if you can provide an update when this BUG will be fix for Azure VM’s!

By James Cumper | June 15, 2018 - 08:31

Hi, any update on IIS Crypto crashing with azure 2016 VM's and throwing some exception about “KERNELBASE.DLL and System.InvalidCastException?

By YK | June 19, 2018 - 04:09

Is it possible to fix IISCrypto crash on AZURE Win Server 2016?

By YK | June 19, 2018 - 04:10

Is any work around?

By om | June 21, 2018 - 09:16

Same here - IISCrypto crash on AZURE Win Server 2016 (works great on win server 2012)

By same issue | June 22, 2018 - 06:59

IIS Crypto is failing

By Jeff | June 22, 2018 - 07:45

Hi All,

The actual issue is with the Azure template. It is setting both the RC4 and SSL 3.0 registry keys as a string when the should be a DWORD.

The next version of IIS Crypto checks for this and sets the correct types. In the meantime, if you want, look for the keys named "Enabled" and "DisabledByDefault" under the root (and their children):

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

- Jeff

Add comment