Disabling TLS 1.0 and the impact on Dynamics AX 2009 & AX 2012

If you haven't disabled TLS 1.0 yet, you are no longer PCI compliant. As of June 2018 PCI considers TLS 1.0 as obsolete and no longer compliant.

With the known vulnerability from the past 2 year you should want to disable TLS1.0 even if your not required to be PCI compliant.

In this article I will explain the impact of disabling TLS 1.0 in your Dynamics AX 2012 environment.

If you are running AX 2009 or older. Its time to upgrade your AX environment. AX 2009 and older don't support a SQL versions that support TLS1.2. Meaning you are stuck on a SQL version that doesn't allow you to disable TLS1.0. 

If you are running Dynamics AX 2012, there needs to be some preparations prior to disabling TLS 1.0. If these precautions are not taken, the result will be that your AOS services will not start and your Data Import Export Framework will through errors. I have listed the errors below and how to resolve them.

Error when starting AOS Service:

Below I have included the errors you may see in the Event log if you are impacted by this.

Errors in Event Log:

Object Server 01:  Fatal SQL condition during login. Error message: "[Microsoft][SQL Server Native Client 11.0]TCP Provider: An existing connection was forcibly closed by the remote host.

Object Server 01:  SQL diagnostics: [Microsoft][SQL Server Native Client 11.0]TCP Provider: An existing connection was forcibly closed by the remote host.
Connect information was: Userid = [], Database = [DatabaseName], Server = [SQLServerName], DSN = [], Other = []

Object Server 01:  The database ServerName\DatabaseName_model is not recognized as a model store.

Object Server 01:  Server terminated unexpectedly with 90 exitcode.

Most importantly notice the first 2 errors mention Microsoft SQL Server Native Client. If you are running into this, that means your Windows Server team has disabled TLS. 1.0 and now you need to apply the fixes to get AOS Services to work. I have included some prerequisites below. You only need to update the Prerequisites installed on your Server. For example, if on your AOS server you have Microsoft SQL Server Native Client 11.1.X only. Then you only need to install the most current version of  Microsoft SQL Server Native Client.

Errors in Data Import Export Framework:

If you are getting the error The version of Microsoft Excel is not supported. -Exception from HRESULT: 0XC020801C in DIXF after you disabled TLS1.0. Follow the steps below to resolve this. 

Resolving Error The version of Microsoft Excel is not supported in DIXF:

Go to the server running DIXF service. Usually Microsoft Dynamics AX Data Import/Export Framework Service runs on the same server as your SQL server. 

1. Install the latest AccessDatabaseEngine for your Office version. You can find this by a simple Bing search, type AccessDatabaseEngine_ and a list of version will appear. 
2. Go to C:\Program Files\Microsoft Dynamics AX\60\DataImportExportFramework\DMFConfig.xml
3. Right click DMFCONFIG.xml and Click Edit
4. search for <ConnectionStringFormat> and delete the line Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog={0};Data Source={1}; and insert in its place Provider=SQLNCLI11.1;Integrated Security=SSPI;Initial Catalog={0};Data Source={1};
5. Restart your Microsoft Dynamics AX Data Import/Export Framework Service.

Now the issue has been resolved. 

Resolving issue with your AOS not starting:

Make sure all prerequisites listed below are installed and this will resolve the issue with your AOS service not starting in result to disabling TLS1.0.

This will not work for AX 2009 or older. As I mentioned above disabling TLS1.0 is not supported in AX 2009 or older version. 

Prerequisites Before you Disable TLS 1.0:

Microsoft ODBC Driver 11 for SQL Server

Microsoft SQL Server 2012 Native Client 11.3.6540.0 at minimum

Most current .NET Windows patches on all AX and related servers

On pre Windows Server 2012 servers, Registry keys will need to be added to disable TLS 1.0 and

enable TLS 1.2

Registry Keys Needed for Pre Server 2012:

See detailed instructions at https://blogs.msdn.microsoft.com/friis/2016/07/25/disabling-tls-1-0-on-your-windows-2008-r2-server-just-because-you-still-have-one/

 TLS 1.2 support for Microsoft SQL Server:

Use the link below to get a full list of supported build versions and download links to be able to enable TLS 1.2 support.

https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server

As always make sure you test this thoroughly in your Test AX environment prior to applying it to Production AX. You might have other ISV applications or customizations that need further attention and patches to make them work.