Print this page

Enabling TLS 1.1 and TLS 1.2 in Internet Explorer

Knowledge Article Number 000221755
Description

If you are using Internet Explorer to access Salesforce, this guide can help you achieve compatibility with TLS 1.1 and TLS 1.2. Salesforce recommends using Microsoft Internet Explorer 11 to achieve compatibility. If that is not possible for your organization, or if both TLS 1.1 and TLS 1.2 are disabled in your configuration, follow the instructions in this article to achieve compatibility. Use the table of contents below to locate the correct set of instructions for your operating system and browser version.

 

Resolution

Review the Salesforce browser support article to help with your decision-making as some Salesforce features are only available in specific web browser versions. Please note that in 2016, Microsoft will only provide technical support and security updates for the most current version of Internet Explorer. Use of a web browser version that is unsupported by the web browser vendor is not advised.

To quickly test for TLS 1.1 and TLS 1.2 compatibility, open https://tls1test.salesforce.com within Internet Explorer. If you see a web page that resembles the following image and contains the text: "TLS 1.0 Deactivation Test Passed," then your Internet Explorer web browser is already compatible with Salesforce's scheduled TLS 1.0 deactivation in early 2016.

IE11-Win8.1.png

Please locate your operating system below and select your current version of Internet Explorer. To quickly determine which operating system and web browser version you are using, visit http://windows.microsoft.com/en-us/internet-explorer/which-version-am-i-using.

Windows 10, Server 2016, and newer

Internet Explorer 11

Edge

Windows 8.1 and Server 2012 R2

Internet Explorer 11

Windows 8 and Server 2012

Internet Explorer 10

    Enable TLS 1.1 and TLS 1.2 in the Internet Options of Internet Explorer 10

    Enable TLS 1.1 and TLS 1.2 using Active Directory group policies

Windows 7 and Server 2008 R2

Internet Explorer 11

Internet Explorer 10

    Enable TLS 1.1 and TLS 1.2 in the Internet Options of Internet Explorer 10

    Enable TLS 1.1 and TLS 1.2 using Active Directory group policies

Internet Explorer 9

    Enable TLS 1.1 and TLS 1.2 in the Internet Options of Internet Explorer 9

    Enable TLS 1.1 and TLS 1.2 using Active Directory group policies

Internet Explorer 8

Windows XP, Vista, Server 2008, Server 2003, and earlier

Internet Explorer 9 Error Message

Internet Explorer 8 Error Message

Internet Explorer 7 Error Message

Internet Explorer 6 Error Message

Windows 10, Server 2016, and newer

These operating systems are already fully compatible with TLS 1.1 and TLS 1.2. No further configuration is necessary if the default configuration, which enables TLS 1.1 and TLS 1.2, is used. Although Internet Explorer 11 is installed by default, Edge is set as the initial default web browser. Both web browsers enable TLS 1.1 and TLS 1.2 by default.

Internet Explorer 11

Accessing Salesforce with Internet Explorer 11 in Windows 10 is successful in its default configuration:

IE11-Win10.png

 

If Salesforce or the https://tls1test.salesforce.com test page does not load successfully in Internet Explorer 11, try to enable "Use TLS 1.1" and "Use TLS 1.2" in the Advanced tab of the Internet Options window, which is accessible via the Tools menu's "Internet options" menu item. The Tools menu can be displayed by clicking on the gear icon near the top-right of an Internet Explorer 11 window. Alternatively, the "Reset..." button in the Advanced tab of the Internet Options window can be used to re-enable TLS 1.1 and TLS 1.2 in Internet Explorer 11.

Edge

Accessing Salesforce with Edge in Windows 10 is successful in its default configuration:

Edge-Win10.png

 

Windows 8.1 and Server 2012 R2

These operating systems are already fully compatible with TLS 1.1 and TLS 1.2. No further configuration is necessary if the default configuration, which enables TLS 1.1 and TLS 1.2, is used.

Internet Explorer 11

Accessing Salesforce with Internet Explorer 11 in Windows 8.1 and Server 2012 R2 is successful in its default configuration:

IE11-Win8.1.png

 

If Salesforce or the https://tls1test.salesforce.com test page does not load successfully in Internet Explorer 11, try to enable "Use TLS 1.1" and "Use TLS 1.2" in the Advanced tab of the Internet Options window, which is accessible via the Tools menu's "Internet options" menu item. The Tools menu can be displayed by clicking on the gear icon near the top-right of an Internet Explorer 11 window. Alternatively, the "Reset..." button in the Advanced tab of the Internet Options window can be used to re-enable TLS 1.1 and TLS 1.2 in Internet Explorer 11


Windows 8 and Server 2012

These operating systems run only Internet Explorer 10. To achieve compatibility with TLS 1.1 and TLS 1.2, proceed with one of the following options. Review Salesforce's browser support article to help with your decision-making, as some features are only available in specific web browser versions:

  • If running Windows 8, upgrade to Windows 8.1. If running Windows Server 2012, upgrade to Windows Server 2012 R2. (preferred)

  • Enable TLS 1.1 and TLS 1.2 for Internet Explorer 10

  • Use the newest version of Google Chrome or Mozilla Firefox to access Salesforce

Internet Explorer 10

To enable TLS 1.1 and TLS 1.2 for Internet Explorer, follow either of the sections below, depending on whether this is for one computer in the Internet Options, or for many computers using Active Directory.

Enable TLS 1.1 and TLS 1.2 in the Internet Options of Internet Explorer 10

This option works well with one or a small number of computers, particularly if the TLS 1.1 and TLS 1.2 options are not being configured using Active Directory group policies.

 

In the Tools menu, which is displayed by clicking on the gear icon near the top-right corner of an Internet Explorer 10 window, select the "Internet options" menu item, as depicted below:

IE10-Win8-Tools-Menu.png

 

In the Internet Options window that appears, click on the Advanced tab at the top of the window. Scroll down to the end of the list and click in the square check boxes next to "Use TLS 1.1" and "Use TLS 1.2" if they don't already have a check mark in them. For additional security, click in the square check box next to "Use SSL 3.0" if it has a check mark in it to remove the check mark. When complete, the screen should resemble the following, where "Use TLS 1.0", "Use TLS 1.1", and "Use TLS 1.2" all have check marks in the check boxes next to them while "Use SSL 2.0" and "Use SSL 3.0" do not have check marks in the check boxes next to them. Press the OK button to save this change.

IE10-Win8-EnableTLS1112.png

 

After enabling TLS 1.1 and TLS 1.2, accessing Salesforce is expected to be successful with Internet Explorer 10 in Windows 8 and Windows Server 2012:

IE10-Win8-Success.png

Enable TLS 1.1 and TLS 1.2 using Active Directory group policies

This option works well when a moderate to large number of computers require adjustments. The prerequisite to this option is an existing deployment of Active Directory that manages the target computers.

 

Follow the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of the instructions from Microsoft to enable TLS 1.1 and TLS 1.2 using Active Directory.

Windows 7 and Server 2008 R2

These operating systems support Internet Explorer versions 8 through 11. For the best experience, use Internet Explorer 11 or newer. Follow the instructions below for the version of Internet Explorer that you have installed.

Internet Explorer 11

This version is already fully compatible with TLS 1.1 and TLS 1.2. No further configuration is necessary if the default configuration, which enables TLS 1.1 and TLS 1.2, is used.

 

Accessing Salesforce with Internet Explorer 11 in Windows 7 and Windows Server 2008 R2 is successful in its default configuration:

IE11.png

 

If Salesforce or the https://tls1test.salesforce.com test page does not load successfully in Internet Explorer 11, try to enable "Use TLS 1.1" and "Use TLS 1.2" in the Advanced tab of the Internet Options window, which is accessible via the Tools menu's "Internet options" menu item. The Tools menu can be displayed by clicking on the gear icon near the top-right of an Internet Explorer 11 window. Alternatively, the "Reset..." button in the Advanced tab of the Internet Options window can be used to re-enable TLS 1.1 and TLS 1.2 in Internet Explorer 11.

Internet Explorer 10

This version does not enable TLS 1.1 and TLS 1.2 by default. To achieve compatibility with TLS 1.1 and TLS 1.2, proceed with one of the following options. Review Salesforce's browser support article to help with your decision-making as some features are available only in specific web browser versions:

  • Upgrade to Internet Explorer 11 (preferred)

  • Enable TLS 1.1 and TLS 1.2 for Internet Explorer 10

  • Use the newest version of Google Chrome or Mozilla Firefox to access Salesforce

 

To enable TLS 1.1 and TLS 1.2 for Internet Explorer, follow either of the sections below, depending on whether this is for one or for many computers.

Enable TLS 1.1 and TLS 1.2 in the Internet Options of Internet Explorer 10

This option works well with one or a small number of computers, particularly if the TLS 1.1 and TLS 1.2 options are not being configured using Active Directory group policies.

 

In the Tools menu, which is displayed by clicking on the gear icon near the top-right corner of an Internet Explorer 10 window, select the "Internet options" menu item, as depicted below:

IE10-Win7-Tools-Menu.png

 

In the Internet Options window that appears, click on the Advanced tab at the top of the window. Scroll down to the end of the list and click in the square check boxes next to "Use TLS 1.1" and "Use TLS 1.2" if they don't already have a check mark in them. For additional security, click in the square check box next to "Use SSL 3.0" if it has a check mark in it to remove the check mark. When complete, the screen should resemble the following, where "Use TLS 1.0", "Use TLS 1.1", and "Use TLS 1.2" all have check marks in the check boxes next to them while "Use SSL 2.0" and "Use SSL 3.0" do not have check marks in the check boxes next to them. Press the OK button to save this change.

IE10-Win7-EnableTLS1112.png

 

After enabling TLS 1.1 and TLS 1.2, accessing Salesforce is expected to be successful with Internet Explorer 10 in Windows 7 and Windows Server 2008 R2:

IE10-Win7-Success.png

Enable TLS 1.1 and TLS 1.2 using Active Directory group policies

This option works well when a moderate to large number of computers require adjustments. The prerequisite to this option is an existing deployment of Active Directory that manages the target computers.

 

Follow the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of the instructions from Microsoft to enable TLS 1.1 and TLS 1.2 using Active Directory.


Internet Explorer 9

This version does not enable TLS 1.1 and TLS 1.2 by default. To achieve compatibility with TLS 1.1 and TLS 1.2, proceed with one of the following options. Review Salesforce's browser support article to help with your decision-making, as some features are available only in specific web browser versions:

  • Upgrade to Internet Explorer 11 (preferred)

  • Enable TLS 1.1 and TLS 1.2 for Internet Explorer 9

  • Use the newest version of Google Chrome or Mozilla Firefox to access Salesforce

 

To enable TLS 1.1 and TLS 1.2 for Internet Explorer, follow either of the sections below, depending on whether this is for one or for many computers.

Enable TLS 1.1 and TLS 1.2 in the Internet Options of Internet Explorer 9

This option works well with one or a small number of computers, particularly if the TLS 1.1 and TLS 1.2 options are not being configured using Active Directory group policies.

 

In the Tools menu, which is displayed by clicking on the gear icon near the top-right corner of an Internet Explorer 9 window, select the "Internet options" menu item, as depicted below:

IE9-Win7-Tools-Menu.png

 

In the Internet Options window that appears, click on the Advanced tab at the top of the window. Scroll down to the end of the list and click in the square check boxes next to "Use TLS 1.1" and "Use TLS 1.2" if they don't already have a check mark in them. For additional security, click in the square check box next to "Use SSL 3.0" if it has a check mark in it to remove the check mark. When complete, the screen should resemble the following, where "Use TLS 1.0", "Use TLS 1.1", and "Use TLS 1.2" all have check marks in the check boxes next to them while "Use SSL 2.0" and "Use SSL 3.0" do not have check marks in the check boxes next to them. Press the OK button to save this change.

IE9-Win7-EnableTLS1112.png

 

After enabling TLS 1.1 and TLS 1.2, accessing Salesforce is expected to be successful with Internet Explorer 9 in Windows 7 and Windows Server 2008 R2:

IE9-Win7-Success.png

Enable TLS 1.1 and TLS 1.2 using Active Directory group policies

This option works well when a moderate to large number of computers require adjustments. The prerequisite to this option is an existing deployment of Active Directory that manages the target computers.

 

Follow the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of the instructions from Microsoft to enable TLS 1.1 and TLS 1.2 using Active Directory.


Internet Explorer 8

This version does not enable TLS 1.1 and TLS 1.2 by default. To achieve compatibility with TLS 1.1 and TLS 1.2, proceed with one of the following options. Review Salesforce's browser support article to help with your decision-making, as some features are available only in specific web browser versions:

  • Upgrade to Internet Explorer 11 (preferred)

  • Upgrade to Internet Explorer 9 or 10

  • Enable TLS 1.1 and TLS 1.2 for Internet Explorer 8

  • Use the newest version of Google Chrome or Mozilla Firefox to access Salesforce

 

To enable TLS 1.1 and TLS 1.2 for Internet Explorer, follow either of the sections below, depending on whether this is for one, or for many computers.

 

Salesforce had previously communicated that Internet Explorer 8 in Windows 7 did not work properly with Salesforce when TLS 1.0 was disabled. Since then, adjustments were made at Salesforce to make https connections from Internet Explorer 8 in Windows 7 work properly. Please note that while https connections with Internet Explorer 8 in Windows 7 work properly, Salesforce no longer offers official support for Internet Explorer 8.

Enable TLS 1.1 and TLS 1.2 in the Internet Options of Internet Explorer 8

This option works well with one or a small number of computers, particularly if the TLS 1.1 and TLS 1.2 options are not being configured using Active Directory group policies.

 

In the Tools menu, which is displayed by clicking on the Tools button near the top-right corner of an Internet Explorer 8 window, select the "Internet Options" menu item, as depicted below:

In the Internet Options window that appears, click on the Advanced tab at the top of the window. Scroll down to the end of the list and click the check boxes next to "Use TLS 1.1" and "Use TLS 1.2" if they are not already checked. For additional security, click the check box next to "Use SSL 3.0" if it has a check mark in it to remove the check mark. When complete, the screen should resemble the following, where "Use TLS 1.0", "Use TLS 1.1", and "Use TLS 1.2" all have check marks in the check boxes next to them while "Use SSL 2.0" and "Use SSL 3.0" do not have check marks in the check boxes next to them. Press the OK button to save this change.

 

After enabling TLS 1.1 and TLS 1.2, accessing Salesforce is expected to be successful with Internet Explorer 8 in Windows 7 and Windows Server 2008 R2:

Enable TLS 1.1 and TLS 1.2 using Active Directory group policies

This option works well when a moderate to large number of computers require adjustments. The prerequisite to this option is an existing deployment of Active Directory that manages the target computers.


Follow the "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy" section of the instructions from Microsoft to enable TLS 1.1 and TLS 1.2 using Active Directory.

Windows XP, Vista, Server 2008, Server 2003, and earlier

These operating systems are not compatible with TLS 1.1 and TLS 1.2. To continue to use Salesforce in these operating systems, proceed with one of the following options:

  • Upgrade to Windows 7 or newer and use Internet Explorer 11 or newer (preferred)

  • Upgrade to Windows 7 or newer and use Internet Explorer 9 or 10

    • Configuration adjustments are required to enable TLS 1.1 and TLS 1.2. Refer to the instructions in this document to enable TLS 1.1 and TLS 1.2 with Internet Explorer 9 or 10 in Windows 7, 8, Server 2008 R2, or Server 2012.

  • Use the newest version of Google Chrome or Mozilla Firefox to access Salesforce

    • This won't be sufficient to keep API clients functional, such as Salesforce for Outlook or .NET based Salesforce integrations. API clients that use Microsoft Secure Channel (Schannel) will not be able to use TLS 1.1 or TLS 1.2 in these operating systems.

    • On April 2016, Google Chrome will require Windows 7 or newer.

Mozilla Firefox requires Windows XP Service Pack 2 or newer.

Internet Explorer 9

Accessing Salesforce with Internet Explorer 9 in Windows Vista will display the following generic error message:

IE9-Vista.png

 

Internet Explorer 8

Accessing Salesforce with Internet Explorer 8 in Windows XP will display the following generic error message:

IE8.png

Internet Explorer 7

Accessing Salesforce with Internet Explorer 7 in Windows XP will display the following generic error message:

IE7.png

Internet Explorer 6

Accessing Salesforce with Internet Explorer 6 in Windows XP will display the following generic error message:

IE6.png

 

 
 




promote demote