Error appears when accessing Management, Runtime or Designer on Chrome via http
kbt177062
PRODUCTIssue
When trying to access Management, Runtime or Designer on Chrome via https, a "This site can't be reached" page is shown, with the following error: ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY
Symptoms
- This is only affecting the https URL.
- If you configure Designer or Runtime to use Windows Authentication instead of Forms Authentication in IIS Manager, opening Runtime/Management/Designer with the http URL will allow the user to access those pages.
- On Firefox, you may get the following error instead: NS_ERROR_NET_INADEQUATE_SECURITY
- On older versions of Microsoft Edge browser, the pages will load properly.
Troubleshooting Steps
This is not a K2 issue, but rather a security feature on newer versions of browsers.
On Windows Server 2016, HTTP/2 is automatically turned on in IIS. With web applications and browsers that support HTTP/2, IIS will start serving those applications via HTTP/2. HTTP/1.1 will be used as a fallback, in case the applications or browsers do not support HTTP/2. You can easily check which protocol is being used by performing a network trace using your browser's developers tool, on the page you are trying to open.
The image below is an example of a network trace recorded on Chrome. The Protocol column shows which protocol is being used. h2 represents HTTP/2, while http/1.1 represents HTTP/1.1.
HTTP/2 has a stricter requirements as compared to HTTP/1.1. If your server has some weaker SSL Ciphers enabled which are not supported by HTTP/2, your browser will return an error message indicating inadequate transport security.
To resolve this, you have two options:
Disable Weak Cipher Suites
Download IIS Crypto GUI, then run it with administrator privileges on your server. Once the tool is launched, select "Cipher Suites", click on "Best Practices", then "Apply". Restart your machine after that, then check if you are still getting the same error.
Please note the IIS Crypto is a third party tool from another vendor, and has no relation to K2. If you need assistance with this tool, please contact that vendor directly.
Disable HTTP/2 in IIS on Windows Server 2016
Disabling HTTP/2 will force IIS to serve the web applications on HTTP/1.1. This is NOT the recommended option as HTTP/2 is the more secure option over HTTP/1.1.
To disable HTTP/2, you need to add the following DWORD registry keys and set the values as shown below:
Path: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesHTTPParameters
Key: EnableHttp2Tls
Value: 0
Key: EnableHttp2Cleartext
Value: 0
If you wish to re-enable HTTP/2 at a later time, either delete the two registry keys, or set their values to 1. Restart your server after making the changes for the changes to take effect.