SSPI handshake failed with error code 0x80090346, state 46

Abhishek Kulkarni 0

Logon SSPI handshake failed with error code 0x80090346, state 46 while establishing a connection with integrated security; the connection has been closed. Reason: The Channel Bindings from this client are missing or do not match the established Transport Layer Security (TLS) Channel. The service might be under attack, or the data provider or client operating system might need to be upgraded to support Extended Protection. Closing the connection. Client's supplied SSPI channel bindings were incorrect.

Erland Sommarskog 112.7K Reputation points MVP

2024-08-24T19:17:22.6133333+00:00

Sounds like you are connecting from a client that only supports TLS 1.0 to a modern server. Or vice versa.

If you give more context of what you are doing, including from what you are connecting and where you are connecting to. Very important, we need to know the versions.
Abhishek Kulkarni 0 Reputation points

2024-08-25T13:06:12.4166667+00:00

Here I am trying to check the connection of SCCM report data source with the reporting service point account. It was working before and now it has stopped working.
It is giving error as after hitting the test connection button.
Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

After looking at the sql error logs I am getting a little more on this-
SSPI handshake failed with error code 0x80090346, state 46 while establishing a connection with integrated security; the connection has been closed. Reason: The Channel Bindings from this client are missing or do not match the established Transport Layer Security (TLS) Channel. The service might be under attack, or the data provider or client operating system might need to be upgraded to support Extended Protection. Closing the connection. Client's supplied SSPI channel bindings were incorrect.

When I try to check the TLS registry, I am only seeing SSL2.0 and not TLS folders.
Abhishek Kulkarni 0 Reputation points

2024-08-26T08:47:25.7533333+00:00

Hello Lucy,

I checked the registry "HKLM\System\CurrentControlSet\Control\LSA\SuppressExtendedProtection" but it does not exist on the client server

but the extended protection is enabled & required mode is selected on the SQL configuration manager. Force encryption is enabled. Also in the same GUI, the SPN is not mentioned. it is blank. Also, in the connection string encrypt=true is applied.

I am not able to see the <extendedProtection> section in the app config file.

1 answer

LucyChenMSFT-4874 5,060 Reputation points

2024-08-26T05:36:53.5333333+00:00
Hi @Abhishek Kulkarni ,

Thank you for your reaching out and welcome to Microsoft Q&A!

Please confirm if Client has enabled Extended Protection support and check:

if extended protection is enabled by setting the value of the registry key HKLM\System\CurrentControlSet\Control\LSA\SuppressExtendedProtection to 0 on Client OS.

if SPN as provided in serverSPN connection property is registered in <extendedProtection> section of ApplicationHost.config file on server.

What encryption method do you use? Could you please tell us if Force Encryption is set to true and are you passing encrypt=true in connection string?

Your time and cooperation are much valued by us. We are looking forward to hearing from you to assist further.

Best regards,

Lucy Chen

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our Documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

https://docs.microsoft.com/en-us/answers/support/email-notifications
Please sign in to rate this answer.
Abhishek Kulkarni 0 Reputation points

2024-08-26T06:56:51.2133333+00:00

Hello Lucy,

I checked the registry "HKLM\System\CurrentControlSet\Control\LSA\SuppressExtendedProtection" but it does not exist on the client server

but the extended protection is enabled & required mode is selected on the SQL configuration manager. Force encryption is enabled.
Also in the same GUI, the SPN is not mentioned. it is blank.
Also, in the connection string encrypt=true is applied.

I am not able to see the <extendedProtection> section in the app config file.

LucyChenMSFT-4874 5,060 Reputation points

2024-08-27T05:38:05.97+00:00

Hi @Abhishek Kulkarni ,

Thank you for your kindly feedback!

What authentication do you use? NTLM or Kerberos?

Please refer to this thread, it is worth to speed time to read their discussion.

LucyChenMSFT-4874 5,060 Reputation points

2024-08-30T02:04:21.9633333+00:00

Hi @Abhishek Kulkarni ,

We have not received a response from you. Did the reply could help you? If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress.

By doing so, it will benefit all community members who are having this similar issue. Your contribution is highly appreciated.

Best regards,

Lucy Chen

LucyChenMSFT-4874 5,060 Reputation points

2024-09-02T02:07:46.5433333+00:00

Hi @Abhishek Kulkarni ,

We have not received a response from you. Did the reply could help you? If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress.

By doing so, it will benefit all community members who are having this similar issue. Your contribution is highly appreciated.

Best regards,

Lucy Chen
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

SSPI handshake failed with error code 0x80090346, state 46

1 answer

Your answer