Loading...
Loading...
HTTP/2 APNS Test Connection fails in UEM console following an upgrade to the supported console version for HTTP2/APNS communication. "Test connection over HTTP/2 failed. Invalid Certificate." Apple devices stop receiving valid APNs traffic Workspace ONE (WS1) UEM following changes/updates to Windows server environments.Legacy Windows Server environments are missing supported ciphers for HTTP/2 clients by default.On-Premise iOS/iPadOS enrollment fails with following error message: "error 9003."
This article provides a solution to the impact of missing ciphers for Workspace ONE UEM implementations for On-Premises customers.
HTTP/2 web services fail with non-HTTP/2-compatible cipher suites. In the past, certain ciphers were not used by default in Windows 08 or Windows 2012 R2 server environments. Newer HTTP/2 web services will by default be unusable if support is not enabled for compatible cipher suites. Due to the nature of APNs and Workspace ONE UEM, this may cause significant outages for customers using iOS/iPad OS devices.Certain failures may indicate lack of supported Ciphers Suites for HTTP/2 clients on (Windows 8.x and Windows Server 2012 R2) or (Windows 2016) environments.
Failure to update the cipher suites on your WS1 on your application servers can result in failure for iOS/iPad OS devices to receive commands/installs/profiles from Workspace ONE UEM.This can also cause APNs failures for WS1 API servers and API calls which utilize APNs.These cipher suites are needed to communicate with Apple for the new HTTP/2 change that will go into effect early next year (2021).
Confirm HTTP/2 Supported IIS running on Windows 10 or Windows Server 2016 supports HTTP/2 Confirm that HTTP/2 is enabled on your server (check the below keys are not set to 0):Note: This procedure modifies the Windows registry. Before making any registry modifications, ensure that you have a current and valid backup of the registry and the virtual machine. For more information on backing up and restoring the registry, see the Microsoft Knowledge Base article 136393. Go to start > regedit.Navigate to the folder/path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\ParametersUnder the Parameters folder, right-click the white-space, add 2 new DWORD (32-bit) values: EnableHttp2Tls and EnableHttp2Cleartext.Ensure both new values have been set to 1 (enabled) by right-clicking the value and clicking modify.Run regedit.exe.Browse to registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters.Create a new DWORD value named “DuoEnabled” (without quotes).Set its value to 1.Reboot your server. Enable Supported Ciphers for HTTP/2 communication To avoid APNs communication failures for HTTP/2 from WS1 please confirm the following cipher suites are enabled/supported on the application servers. The following cipher suites need to be enabled based on the server version of the application servers: Windows 2012 R2 and earlier ("TLS_RSA_WITH_AES_256_CBC_SHA") 1. Verify the supported ciphers suites for your servers using one of the following methods: The list of TLS cipher suites enabled on the server can be retrieved using the following command. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CiphersUtilize third-party software like IIS Crypto to view/edit supported Cipher Suites. 2. Modify the server configuration to allow for supported Cipher Suites using one of the following methods: Apply the Windows 8.1 and Windows Server 2012 R2 update 2919355. These steps are outlined by Microsoft > TLS Cipher Suites in Windows 8.1. This will add support for HTTP/2 web services.Manually add the missing Ciphers using a tool like IIS Crypto (see below). Windows server 2016 and later (“TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384”) Note: On the server, IIS running on Windows 10 or Windows Server 2016 supports HTTP/2 and this Cipher is enabled by default. If this is missing/disabled perform the following: 1. Verify the supported ciphers suites for your servers using one of the following methods: The list of TLS cipher suites enabled on the server can be retrieved using the Get-TlsCipherSuite Powershell Command.Utilize third-party software like IIS Crypto to view/edit supported Cipher Suites. 2. Modify the configuration to allow for supported Cipher Suites using one of the following methods: Manually add the missing Ciphers using a tool like IIS Crypto.Enable using the Enable-TlsCipherSuite Powershell Command. Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.
For more information regarding HTTP/2 APNs support in WS1, see: Upgrade Workspace ONE UEM before November 2020 to support Apple Push Notifications over HTTP/2 Check APNs Connectivity over HTTP/2
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.