Authorize.Net API questions and help with your payment integration.
Authorize.Net API questions and help with your payment integration.
03-27-2018 09:10 PM - edited 03-27-2018 09:13 PM
How are you setting IIS Crypto Settings?
Are you selecting the "Best Practices" button and then de-selecting TLS 1.1 ? And are you selecting the check the box to "Set Client Side Protocols?"
I'll try to include an image here but it may not work:
03-28-2018 05:11 AM
Yes, the rest of the site is working. We are able to do everything except connect to authorize.net.
Every time I make a change and reboot, I am testing the website functionality through the client frontend. All updates to SQL Server through the frontend asp classic codes works correctly.
I also confirmed the registry settings again. I carefully followed the path again to make sure our paths match yours. They are both correct -Wow6432Node is set because we have a 64 bit system. The only difference between your values and ours is that yours do not have (2048) after the value and ours do have it.
Our value: (in both settings)
Value: 0x00000800 (2048)
I opened IISCrypto. It looks as though the “Best Practices” button was not checked before so I checked it and Cipher and other settings changed. I unchecked TLS 1.1 and applied and rebooted. When I checked https://www.ssllabs.com/ssltest/, now our website’s rating is an “A” (always ”B” before today) and everything looked good except that I got the same error messages with my test code, and I again tried all 3 ways of setting the object, as you suggested. And, yes, the "Set Client Side Protocols” button is checked.
I then proceeded to test every combination of TLS settings using IIS Crypto; only 1.2 enabled, then 1.2 and 1.0, and then 1.2 and 1.1. I rebooted each time after changing settings in IIS Crypto and then I immediately retested the website. All website functionality continued to work after each change. But my test program did not work. And, as I said, each time I test, I test all 3 possible set statements.
Now when I test with TLS 1.2 and 1.0 enabled, I still get the cipher “bad” message but it is much smaller. Maybe that’s because I used the “Best Practices” setting and that changed the settings that were previously there.
Here’s my test code again:
Set objHttp = Server.CreateObject("MSXML2.ServerXMLHTTP.6.0")
'Set objhttp = Server.CreateObject("MSXML2.XMLHTTP.6.0")
'Set objHttp = Server.CreateObject("WinHTTP.WinHTTPRequest.5.1")
objHttp.open "GET", "https://howsmyssl.com/a/check", False
Response.Write objHttp.responseText & "<br>"
Set objHttp = Nothing
I will let our server people know what you said about the registry settings not seeming to be recognized. Although I know how to check regedit, I would not be comfortable making any registry settings on this server as I do not manage the server. They have given me access to IISCrypto so that is why I am able to make those changes, reboot and test over the last few days.
I have screenshots of everything but I have been unable to insert any screenshots into this forum. It keeps giving me an HTML error anytime I use their icon to insert an image.
Thanks again. I really appreciate your help. I feel bad that we are taking so much of your time but I really don't know what else to do. Hopefully the server people will find something with the registry.
03-28-2018 09:21 AM
One other thing to look for is the Application Pool Setting for your website. Make sure it is using 4.0 and not 2.0
If you don't know where that is open IIS Manager (Internet Information Services (IIS) Manager)
Click the down arrow on to the left of the server name and then highlight "Application Pools"
Double click on your website name on the right and see if it is set to 2.0 or 4.0. Should be 4.0.
If for some reason you cannot change this from 2.0 to 4.0 then you need to set these registry values:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001
If you just change the App Pool setting to 4.0 then you should only need to restart IIS. If you add the registry entries then a reboot would be needed.
03-28-2018 05:36 PM
I checked the IIS Manager. I wish I could figure out how to insert images into the posts in this forum so I could show you what I see but I still haven't been able to get the images to work. Keep getting error about "invalid HTML code" after inserting an image.
In IIS Manager on our website, the application pool settings are for the server, not the website. Below Application Pools, it says "Sites" and then below that is "Default Web Site" and then I see all the folders that appear in Windows Explorer under inetpub (which makes sense).
Here's how IIS Manager looks:
Default Web Site
..all other folders under inetpub
Under Sites, there are no application pool settings.
But when I look at Application Pools, I see this:
Name Status .NET Framework Version Managed Pipeline Mode Identity Applications
.NET v2.0 Started V2.0 Integrated ApplicationPoolIdentity 0
.NET v2.0 Classic Started V2.0 Classic ApplicationPoolIdentity 0
Clssic .NET AppPool Started V2.0 Classic ApplicationPoolIdentity 0
DefaultAppPool Started V4.0 Integrated LocalSystem 2
mstest Started V2.0 Integrated ApplicationPoolIdentity 1
So this looks okay, right?
03-28-2018 07:39 PM
In IIS Manager under Sites, right click your website and then click on Manage Website / Advanced Settings
The first line should show what Application Pool is being used by your website.
What browser are you using? It is possible that the problem is with your browser not supporting any TLS version beyond 1.0. Have you tried running your scripts from a different browser or computer?
One other registry key you may need since your server is 2012 and not 2012r2 is the SchUseStrongCrypto key.
Here are instructions to add that key.
Enable the SchUseStrongCrypto property in the Windows registry to use as the default protocols: TLS 1.0, TLS 1.1 and TLS 1.2
If you want to make sure strong cryptography is enabled and the SSL protocols for your requests to be TLS 1.0, TLS 1.1 and TLS 1.2, please follow this steps:
Start the registry editor by clicking on Start and Run. Type in "regedit" into the Run field (without quotations).
Highlight Computer at the top of the registry tree. Backup the registry first by clicking on File and then on Export. Select a file location to save the registry file.
Note: You will be editing the registry. This could have detrimental effects on your computer if done incorrectly, so it is strongly advised to make a backup.
Browse to the following registry key:
Right-click on the right pane and create a new DWORD (32-bit) Value with Name SchUseStrongCrypto.
Ensure that the Value data field is set to 1 and the Base is Hexadecimal. Click on OK.
Repeat steps 4 and 5 for the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319
Reboot the server
03-29-2018 03:59 AM
Thank you so much. I can't thank you enough for your help. Thank you...thank you.
We did not need to make the latest registry change.
Here's the last tweak needed.
'3/29/18 change statement for tls 1.2 for authorize.net
'3/29/18 Set xml = Createobject("MSXML2.ServerXMLHTTP")
Set xml = Server.CreateObject("MSXML2.XMLHTTP.6.0") '3/29/18
I don't know why this change in the test program to the ssl test page doesn't work but it works to authorize.net This is the only "CreateObject" setting that works for authorize.net from server.
I had several test programs but only one that actually tested a call to authorize.net. I thought I had tested everything in all my test programs each time I tested but, after so many different tries and changes, I missed this different test program. After reading the posts again in this thread and reading posts in other forums, I woke up this morning and just tried it and it worked.
Wow, after almost 4 weeks of trying different things, it works.
Thank you again for sticking with us!
03-29-2018 06:21 AM
Thats great! Now if you want to put the icing on the cake try disabling TLS 1.0 and see if it works. If it does not work then you still have a problem between your webserver and your database server.
Technically you are good as far as Authorize.net is concerned. You are communicating with them via TLS 1.2.
If you want to be PCI compliant then you would need to remove TLS 1.0 from the server completely.
If you are still having problems with the database connection after removing TLS 1.0 post your database connection string with the username and password masked so we can look at it.
03-29-2018 06:31 AM
Thank you! TLS 1.0 is disabled. Right now only TLS 1.2 is enabled in IISCrypto. And to confirm it, everything is "No" on the ssl security test except for TLS 1.2 and the website now has an "A" rating on the ssl security test.
03-29-2018 07:08 AM
Back at you! You stuck it out with us. I don't know what we would have done without your help. Your helpful and kind replies gave me hope that we would eventually get there.
Although the vendor managing the server and a third party software product, and I are the original creators of this website system from 12 years ago, and we know it well, we relied on your help to work through each issue to get TLS 1.2 working.
We are all very grateful to you.
I hope that our back and forth will help others who may still be struggling with this same issue so they have many different things to try. And they know they will eventually get it working.