Solved: SSL/TLS Handshake Failed in Windows Server 2025 IIS
Quick Fix Summary
TL;DRRestart IIS, verify certificate binding, and enable TLS 1.2 in the registry.
The SSL/TLS handshake fails when the client and server cannot agree on a secure communication protocol or certificate. This is often due to misconfigured cipher suites, expired certificates, or disabled protocols in Windows Server 2025.
Diagnosis & Causes
Recovery Steps
Step 1: Immediate Service & IIS Reset
First, restart core services to clear any transient state and reload configurations.
iisreset /stop
net stop cryptsvc
net start cryptsvc
iisreset /startStep 2: Verify Certificate Binding in IIS
Ensure the correct certificate is bound to the site's HTTPS port (443) and the binding is not corrupted.
Get-ChildItem -Path IIS:\SslBindingsStep 3: Enable TLS 1.2 via Registry (Critical for 2025)
Windows Server 2025 may have stricter defaults. Explicitly enable TLS 1.2 client and server protocols.
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value 1 -PropertyType 'DWord' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value 0 -PropertyType 'DWord' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value 1 -PropertyType 'DWord' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value 0 -PropertyType 'DWord' -ForceStep 4: Reorder Cipher Suites for Strong Negotiation
Prioritize strong, modern cipher suites to ensure a successful handshake with compliant clients.
$cipherOrder = @('TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256','TLS_DHE_RSA_WITH_AES_256_GCM_SHA384','TLS_DHE_RSA_WITH_AES_128_GCM_SHA256')
$cipherSuites = [string]::Join(',', $cipherOrder)
New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -Name 'Functions' -Value $cipherSuites -PropertyType 'String' -ForceStep 5: Analyze Schannel Logs for Root Cause
Enable and check the Windows Schannel event log for specific error codes (like 36887 or 36874).
Get-WinEvent -LogName 'System' -FilterXPath "*[System[Provider[@Name='Schannel']]]" -MaxEvents 20 | Format-List TimeCreated, Id, MessageArchitect's Pro Tip
"For Azure-hosted VMs, the platform-managed 'Azure TLS/SSL policy' can override local Schannel settings. Always check it in the VM's Networking blade."
Frequently Asked Questions
I enabled TLS 1.2 but still get the error. What's next?
Run 'nmap --script ssl-enum-ciphers -p 443 your-server.com' from a Linux box. It reveals the exact protocols and ciphers your server offers, often uncovering mismatches not shown in Windows logs.
Does Windows Server 2025 disable TLS 1.0 by default?
Yes. Windows Server 2025 has TLS 1.0 and 1.1 disabled by default in the SCHANNEL component. You must explicitly enable TLS 1.2/1.3, as shown in Step 3.