I recently (well yesterday) stumbled across a ConfigMgr Current Branch setup of a new site server failing due to TLS configuration. Turned out that the ConfigMgr 1702 setup (latest baseline as of today) couldn't install when TLS 1.0 and SSL 3.0 had been removed due to server hardening. The server was Windows Server 2016, and the database SQL was SQL Server 2016 Standard with SP1.
The Issue
When not having TLS 1.0 and SSL 3.0 enabled, the ConfigMgr 1702 setup failed with the following error:
*** [08001][18][Microsoft][ODBC SQL Server Driver][Shared Memory]SSL Security error3000 (0x0BB8)
*** [01000][1][Microsoft][ODBC SQL Server Driver][Shared Memory]ConnectionOpen (SECCreateCredentials()).
*** Failed to connect to the SQL Server, connection type: CM01.CORP.VIAMONSTRA.COM MASTER.
*** [08001][18][Microsoft][ODBC SQL Server Driver][Shared Memory]SSL Security error
*** [01000][1][Microsoft][ODBC SQL Server Driver][Shared Memory]ConnectionOpen (SECCreateCredentials()).
*** Failed to connect to the SQL Server, connection type: CM01.CORP.VIAMONSTRA.COM MASTER.
The Fix
First, make sure you are on .NET Framework 4.6.2, and then use IISCrypto.exe from Nartac Software to temporarily enable TLS 1.0 and SSL 3.0
Then run the ConfigMgr 1702 setup, upgrade to ConfigMgr 1706 or ConfigMgr 1710, and then disable TLS 1.0 and SSL 3.0 again.
There is more information on how to enable TLS 1.2 for ConfigMgr on this link: http://support.microsoft.com/en-us/help/4040243/how-to-enable-tls-1-2-for-configuration-manager
Note: Running ConfigMgr in TLS 1.1 or TLS 1.2 only environments is begging for trouble. Guidance and real world testing of this scenario is quite limited. Don't say I didn't warn you 🙂
Temporarily enable TLS 1.0 and SSL 3.0 to allow the ConfigMgr 1702 setup to run.
Hardening put back again, after upgrading to ConfigMgr 1706 or ConfigMgr 1710.
Written by Johan Arwidmark