Udostępnij za pośrednictwem


TLS 1.2 Support for SQL Server 2008, 2008 R2, 2012 and 2014

Microsoft is pleased to announce the release of (Transport Layer Security) TLS 1.2 support in all major client drivers and SQL Server releases. The updates made available on January 29th, 2016 provide TLS 1.2 support for SQL Server 2008, SQL Server 2008 R2, SQL Server 2012 and SQL Server 2014. The client drivers that have support for TLS 1.2 are SQL Server Native Client, Microsoft ODBC Driver for SQL Server, Microsoft JDBC Driver for SQL Server and ADO.NET (SqlClient) .

The list of SQL Server server and client component updates along with their download locations that support TLS 1.2 is available in the KB Article below:

3135244 TLS 1.2 support for Microsoft SQL Server

You can use KB3135244 to download the appropriate server and client component applicable for your environment. The first build numbers that provides complete TLS 1.2 support in each major release is available in KB3135244 as well. The following tables lists the client driver/components and server components which have TLS 1.2 support. You will need to apply the necessary client component fixes on the server that hosts the SQL Server instance (eg. MS ODBC Driver, SQL Server Native Client) to ensure that the client components installed on the server also support TLS 1.2.

Client Components Server Components
SqlClient (.NET Framework 4.6) SQL Server 2014
SqlClient (.NET Framework 4.5.2, 4.5.1, 4.5) SQL Server 2012
SqlClient (.NET Framework 4.0) SQL Server 2008 R2
SqlClient (.NET Framework 3.5/a.k.a (.NET Framework 2.0 SP2) SQL Server 2008
MS ODBC Driver v11 (Windows)  
SQL Server Native Client (for SQL Server 2012 & 2014)  
SQL Server Native Client (for SQL Server 2008 R2)  
SQL Server Native Client (for SQL Server 2008)  
SQL Server Native Client (for SQL Server 2005)  
JDBC 6.0  
JDBC 4.2  

JDBC 4.1

 

You can use the PowerShell script from our tigertoolbox GitHub repository to determine which client drivers on your server and client machines require fixes.

Update: March 2, 2016: Please see known issue 6 for the intermittent service terminations that were reported after installing the update.

Update May 27, 2016: Additional fixes needed for SQL Server to use TLS 1.2 with Database Mail is available at KB3135244 .

Update January 31, 2017: If you want to check if the TLS/SSL protocol that is being used by the client connection, then you can use the TRACE extended event (under DEBUG channel) to determine the TLS/SSL protocol, cipher, hash and peer address for the connection being made. This capability is available in SQL Server 2016 Service Pack 1 and above. See KB3191296 for more details.

Known Issues

Issue 1

SQL Server Management Studio (SSMS), Report Server, and Report Manager don't connect to the database engine after you apply the fix for SQL Server 2008, 2008 R2, 2012, or 2014. Report Server and Report Manager fail and return the following error message:

The report server cannot open a connection to the report server database. A connection to the database is required for all requests and processing. (rsReportServerDatabaseUnavailable)

This issue occurs because SSMS, Report Manager, and Reporting Services Configuration Manager use ADO.NET, and ADO.NET support for TLS 1.2 is available only in the .NET Framework 4.6. For earlier versions of the .NET Framework, you have to apply a Windows update so that ADO.NET can support TLS 1.2 communications for the client. The Windows updates that enable TLS 1.2 support in earlier versions of .NET framework are listed in the table in the "How to know whether you need this update" section of KB3135244.

Issue 2: Reporting Services fails to start

Reporting Services Configuration Manager reports the following error message even after client providers have been updated to a version that supports TLS 1.2:

Could not connect to server: A connection was successfully established to the server, but then an error occurred during the pre-login handshake.

Error message

To resolve this problem, manually create the following registry key on the system that hosts the Reporting Services Configuration Manager:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client : REG_DWORD=Enabled, "Enabled"=dword:00000001

Issue 3: Encrypted endpoint communication fails

The encrypted endpoint communication that uses TLS 1.2 fails when you use encrypted communications for Availability Groups or Database Mirroring or Service Broker in SQL Server. An error message that resembles the following is logged in the SQL Error log:

Connection handshake failed. An OS call failed: (80090331) 0x80090331(The client and server cannot communicate, because they do not possess a common algorithm.). State 56.

For more information about this issue, see FIX: The encrypted endpoint communication with TLS 1.2 fails when you use SQL Server.

(Update: February 22, 2016) Known Issue: If you are on a currently using Cumulative Update for SQL Server 2014 and need to use TLS 1.2 for encrypted endpoints for features like Availability Groups, Database Mirroring or Service Broker, then we recommend that you install Cumulative Update 1 for SQL Server 2014 Service Pack 1 or Cumulative Update 8 for SQL Server 2014 which adds support for this particular scenario. This is documented as a known issue in KB3135852.

Issue 4: Encrypted communication with DBM/AG fails

An encrypted connection with Database Mirroring or Availability Groups does not work when you use a certificate after you disable all other protocols other than TLS 1.2. An error message that resembles the following is logged in the SQL Server Error log:

Connection handshake failed. An OS call failed: (80090331) 0x80090331(The client and server cannot communicate, because they do not possess a common algorithm.). State 58.

There might be additional errors that you might encounter in the event logs associated with this issue as shown below.

Log Name: System
Source: Schannel
Date: 3/4/2016 2:09:28 AM
Event ID: 36888
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Description:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

Log Name: System
Source: Schannel
Date: 3/4/2016 2:09:28 AM
Event ID: 36874
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Description:
An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

This issue occurs because Availability Groups and Database Mirroring require a certificate that does not use fixed length hash algorithms, such as MD5. Fixed length hashing algorithms are not supported in TLS 1.2.

For more information, see FIX: Communication using MD5 hash algorithm fails if SQL Server uses TLS 1.2.

Issue 5: SQL Server Setup fails

SQL Server setup fails when TLS 1.2 is enabled

When you try to install Microsoft SQL Server 2012 or SQL Server 2014 on a server that has Transport Layer Security (TLS) version 1.2 enabled, you may encounter the following issues:

  • If the version of SQL Server that you're trying to install doesn't contain the fix to enable TLS 1.2 support, you receive the following error message:Wait on the Database Engine recovery handle failed. Check the SQL Server error log for potential causes.
  • If the version of SQL Server that you're trying to install does contain the fix to enable TLS 1.2 support, you receive the following error message:A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: Named Pipes Provider, error: 0 - No process is on the other end of the pipe.)In both of these situations, the installation fails.Please refer KB3135769 for the workaround for the issue.

Issue 6: Intermittent Service Termination

The following SQL Server database engine versions are affected by the intermittent service termination issue that is reported in KB3146034. For customers to protect themselves from the service termination issue, we recommend that they install the TLS 1.2 updates for Microsoft SQL Server that are mentioned in this article if their SQL Server version is listed in the following table.

SQL Server release Affected version
SQL Server 2008 R2 SP3 (x86 and x64) 10.50.6537.0
SQL Server 2008 R2 SP2 GDR (IA-64 only) 10.50.4046.0
SQL Server 2008 R2 SP2 (IA-64 only) 10.50.4343.0
SQL Server 2008 SP4 (x86 and x64) 10.0.6543.0
SQL Server 2008 SP3 GDR (IA-64 only) 10.0.5544.0
SQL Server 2008 SP3 (IA-64 only) 10.0.5894.0

Issue 7: Database Mail does not work

Database Mail does not work with TLS 1.2

Database Mail fails with the following errors:

Agent Log:

Microsoft.SqlServer.Management.SqlIMail.Server.Common.BaseException:

Mail configuration information could not be read from the database.

….

….

Unable to start mail session.

See the section “Additional fixes needed for SQL Server to use TLS 1.2” in KB3135244.

Issue 8: SQL Server service does not start

You get the following error after disabling all other protocols except TLS 1.2 on the server while trying to start the SQL Server database engine service.

Error: 17182, Severity: 16, State: 1.
TDSSNIClient initialization failed with error 0x139f, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors. The group or resource is not in the correct state to perform the requested operation.

Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.

Error: 17120, Severity: 16, State: 1.
SQL Server could not spawn FRunCM thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.

The above errors are reported because the SQL Server client driver fixes were not applied on the server. Please refer KB3135244 and apply the applicable client driver fixes on the server.

A recording of the TLS 1.2 session delivered the Security Virtual Chapter for PASS is available below.

Comments

  • Anonymous
    February 09, 2016
    Does this include support for TLS in Database Mail (SMTP) in SQL Server 2008 R2?
    • Anonymous
      March 25, 2016
      Could you please share any error that you are receiving using the contact option on the right side-bar at https://blogs.msdn.microsoft.com/sql_server_Team/
    • Anonymous
      May 27, 2016
      Please see a list of .NET fixes above for TLS 1.2 to work with Database Mail.
  • Anonymous
    February 16, 2016
    The comment has been removed
    • Anonymous
      February 18, 2016
      Could you please post the error message that is present in the SQL Server Errorlog when the service does not start automatically? You will need to install the necessary .NET update for SSMS to connect to the SQL Server database engine. The reason for this is the Management Studio for older releases require an older SqlClient. The download links for the ADO.NET updates are available in KB3135244.
  • Anonymous
    February 16, 2016
    When will a new hotfix be available ? According to the PCI policy the disablement of TLS 1.0 must occur by June 2016, which does not leave a lot of time to test and implement.
    • Anonymous
      February 18, 2016
      We will be publishing an update on the investigation as soon as it is complete along with an update on the mitigation steps.
    • Anonymous
      February 22, 2016
      Owen you have until June 30th, 2018 now, they changed that date at the end of 2015. You will have to provide risk and mitigation plan to your PCI assessor, but you have time to test and implement or migrate properly now.
  • Anonymous
    February 17, 2016
    The comment has been removed
    • Anonymous
      February 18, 2016
      The update that you have installed 489678_ENU_x64 is the update for the SQL Server Native Client (client driver). You have not installed the database engine hotfix package. As mentioned in the blog post, we are currently investigating an issue reported by two customers. We will enable the downloads as soon as we have concluded the investigation of the reported issues. Please keep a watch on this blog post for updates.
  • Anonymous
    February 22, 2016
    The comment has been removed
    • Anonymous
      February 22, 2016
      Alicia: We have been notified about this particular issue and this already under investigation. We will provide an update on this blog post about the resolution on this issue. Thank you for reporting this issue to us.
  • Anonymous
    February 22, 2016
    The comment has been removed
    • Anonymous
      February 22, 2016
      This issue occurs because SSMS, Report Manager, and Reporting Services Configuration Manager use ADO.NET, and ADO.NET support for TLS 1.2 is available only in the .NET Framework 4.6. For earlier versions of the .NET Framework, you have to apply a Windows update so that ADO.NET can support TLS 1.2 communications for the client. The Windows updates that enable TLS 1.2 support in earlier versions of .NET framework are listed in the table in the "How to know whether you need this update" section of KB3135244. The path that you installed only updates the SQL Server Native Client. You will also need to install the client driver update for "Microsoft ODBC Driver for SQL Server".
  • Anonymous
    February 23, 2016
    Amit,Thank you for the information. I removed .Net 4.6 and installed 3.5 and applied the hotfix mentioned and this solved all my problems.
  • Anonymous
    March 01, 2016
    Because of the DROWN attack we are being forced to use only TLS 1.2 on Windows 2008 servers that run SQL Server 2008 R2. Our ISP is testing what protocols are enabled and blocking servers running anything other than TLS 1.2. So we need the update for SQL Server 2008/R2 now.
    • Anonymous
      March 02, 2016
      We have re-enabled the download links for SQL Server 2008 and SQL Server 2008 R2. You should be able to download the packages.
  • Anonymous
    March 04, 2016
    The article mentions 3 hotfixes for NF 4.5/4.5.1/4.5.2 3099842/3099844 and 3099845. Are all of these needed to be installed?ThanksChris
    • Anonymous
      March 04, 2016
      Chris: If your application uses .NET client drivers and you only want to use TLS 1.2, then you need to install the relevant .NET fixes for the client drivers.
  • Anonymous
    March 05, 2016
    Amit,None of the 3 earmarked for NF 4.5.2 indicate and OS. So I will assume that I probably need to install all 3 for W2K8R2 and Win 7.Chris
  • Anonymous
    March 07, 2016
    Is it "Enabled"=dword:00000001 as per 'What is the correct registry setting to enable TLS 1.2 for SQL Server communication?' or as described in issue 2 Enabled = 0xffffffff. https://support.microsoft.com/en-us/kb/3135244
    • Anonymous
      March 07, 2016
      The correct setting is:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]"DisabledByDefault"=dword:00000000"Enabled"=dword:00000001[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]"DisabledByDefault"=dword:00000000"Enabled"=dword:00000001I will correct the post accordingly.
  • Anonymous
    March 07, 2016
    I tried to install SQL Server Native Client (for SQL Server 2008 R2) from this page:https://support.microsoft.com/en-us/kb/3135244The file is SQL2008R2_SP3_COD_SNAC_x86_1033But my system said: "Installation... failed because a higher version exists on the machine"My current version of SQL Server Native Client is 10.53.6542.0What version is the file SQL2008R2_SP3_COD_SNAC_x86_1033 ?
    • Anonymous
      March 08, 2016
      If you are on the build 6542, then you are on the latest build. If you need to install only the client driver update for client machines, then you need to download the appropriate client driver from the client drivers hotfix link in the second table in KB3135244.
  • Anonymous
    March 08, 2016
    Great thanks - btw https://support.microsoft.com/en-us/kb/245030 mentions 0xffffffff tooDavid
    • Anonymous
      March 08, 2016
      Correct but that is for older operating systems. KB245030 mentions the registry settings for later version of windows. Look at the section "For later versions of Windows" in KB245030.
      • Anonymous
        March 09, 2016
        Hello Amit,I have SQL server 2008 R2 Ent insalled on Windows server 2008 R2 Ent. I am unable to login to SQL server locally after the installation. Getting below error: Connection handshake failed. An OS call failed: (80090331) 0x80090331(The client and server cannot communicate, because they do not possess a common algorithm.). State 56.The error led me to this article and I updated my DB engine to 10.50.6542.0. But still unable to login. What should I do in order to allow my SSMS to connect locally.
  • Anonymous
    March 08, 2016
    Amit,Just applying 3099845 didn't allow me to use SSMS to access the upgraded server. SP3 build 6542 now comes up with TLS 1.0 disabled. The other two are not for W2K8R2 SP1. What do I do now without having NF 4.6 or 4.6.1 installed?Chris
  • Anonymous
    March 09, 2016
    I have now got this to work by having the NF 3.5/2.0 hotfix installed. I can now use SSMS on the server to manage SQL.Chris
    • Anonymous
      March 10, 2016
      Good to know Chris. The KB and client/server OS combinations are given below:3099842 is for Windows 8.1 and Windows Server 2012 R23099844 is for Windows 8 and Windows Server 2012Correction: 3099845 should be for Windows 7 SP1 and Windows Server 2008 R2.
  • Anonymous
    March 10, 2016
    Adding more details to my earlier comment:I have SQL server 2008 R2 Ent insalled on Windows server 2008 R2 Ent. I am unable to login to SQL server locally after the installation. Getting below error:Connection handshake failed. An OS call failed: (80090331) 0x80090331(The client and server cannot communicate, because they do not possess a common algorithm.). State 56.The error led me to this article and I updated my DB engine to 10.50.6542.0. But still unable to login. What should I do in order to allow my SSMS to connect locally. Also the second issue is SQL agent service is not starting. It fails with below error:Agent could not be started ( unable to connect to server (local), SQLserveragent cannot start).How to fix this as well? Below is my environment details:Windows server 2008 R2 Ent. SP1SQL Server 2008 R2 Ent (10.50.6542.0).Net version 4.5.51209SCHANNEL registry status:SSL 2.0: Client: DisabledByDefault = 1 Enabled = 0 Server: DisabledByDefault = 1 Enabled = 0 SSL 3.0: Client: DisabledByDefault = 1 Enabled = 0 Server: DisabledByDefault = 1 Enabled = 0 TLS 1.0: Client: DisabledByDefault = 0 Enabled = 1 Server: DisabledByDefault = 0 Enabled = 1 TLS 1.1: Client: DisabledByDefault = 0 Enabled = 1 Server: DisabledByDefault = 0 Enabled = 1 TLS 1.2: Client: DisabledByDefault = 0 Enabled = 1 Server: DisabledByDefault = 0 Enabled = 1 Please let me know if you need any further details.
    • Anonymous
      March 10, 2016
      You need to install the client driver fixes installed on all the clients and the server. The download link is available on KB3135244.
  • Anonymous
    March 10, 2016
    Update:I made some progress on it. I installed .Net version 4.6.01055 and ADO.NET - SqlClient (.NET Framework 3.5/.NET Framework 2.0 SP2) referring link https://support.microsoft.com/en-us/kb/3135244. I am now able to connect SQL server using SSMS locally and also able to start SQL agent service. Yipee.But now the new issue is appearing. I can't connect the server remotely using windows authentication. I get below errors in windows eventviewer logs when I try to connect it. Also, no errors in SQL server error logs.Log Name: System Source: Schannel Event ID: 36888 Task Category: None Level: Error Keywords:User: SYSTEM Description: The following fatal alert was generated: 40. The internal error state is 1205.Log Name: System Source: Schannel Event ID: 36874 Task Category: None Level: Error Keywords:User: SYSTEM Description: An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.enter image description here
    • Anonymous
      March 10, 2016
      You need to update the SQL Server client drivers on the client machines that you are connecting from. The client driver download links are available in KB3135244.
    • Anonymous
      March 10, 2016
      This is because the client drivers on the client machines have not been updated. You need to download the patches mentioned for the client drivers in KB3135244 and install them on the clients.
  • Anonymous
    March 31, 2016
    We have SQL Server instance where we turned off TLS 1.0 after following all the necessary updates under KB3135244.We are able to connect locally and remotely to the instance without any issues using SSMS. However, we have an issue running any reports on a remote SSRS to the instance running on TLS 1.2. The connection is successful in SSMS, SQL Data Tools, and even Report Builder. Once deployed to the SSRS server, we receive the following error:A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: TCP Provider, error: 0 - An existing connection was forcibly closed by the remote host.)What are we missing?
    • Anonymous
      April 05, 2016
      The comment has been removed
      • Anonymous
        April 08, 2016
        When previewing the report in SQL Data Tools or Report Builder, it works fine. Once deployed to SSRS and ran through the SSRS web-based GUI, the data source test fails giving the error above.The SSRS server is running SQL Server & SSRS running SQL Server 2012 (11.0.6523), .NET Framework 4.6.1, SNAC 11.0.6523 (based on KB315244) on Windows 2012 R2The data source in the report is running SQL Server 2014 (12.00.4439) with TLS 1.0 is disabled also on Windows 2012 R2Testing the same connection from the SSRS server to the Data Source using a .udl connection gives the error:ConnectionOpen (SECDoClientHandshake()). SSL Security error.Test connection failed because of initializing provider.I would like to add that this is not environment specific to the servers mentioned above. Testing this same behavior on different SSRS servers and Data Sources running with TLS 1.0 disabled, produces the same results. Have Microsoft confirmed that SSRS can connect via the SSRS web GUI to data sources running with TLS 1.0 disabled?
        • Anonymous
          April 15, 2016
          Have you installed the applicable .NET fixes mentioned in KB3135244? If yes and this is not working, please open a Microsoft Support incident to determine what is missing from the environment due to which the connections are not working. And yes, we have tested this scenario with all other protocols being disabled and only TLS 1.2 being enabled. The list of known issues highlighted in this post are based on the testing done before we released these patches publicly.
          • Anonymous
            April 22, 2016
            After working with Microsoft's support, the issue is specific to Windows Server 2012 R2. Some parts of SSRS depend on .NET Frameworks 2.0. The following fix is required to correct the error mentioned above with TLS 1.2.https://support.microsoft.com/en-in/kb/3106993
            • Anonymous
              April 27, 2016
              Good to know that this is resolved. This is mentioned as a required client fix under "ADO.NET - SqlClient (.NET Framework 3.5/.NET Framework 2.0 SP2)" in KB3135244.
  • Anonymous
    April 04, 2016
    The comment has been removed
    • Anonymous
      April 05, 2016
      The comment has been removed
      • Anonymous
        April 06, 2016
        The comment has been removed
        • Anonymous
          April 06, 2016
          If your Native Client is on the build 6542, then you are on the latest build. If you need to install only the client driver update for client machines, then you need to download the appropriate client driver from the client drivers hotfix link in the second table in KB3135244. If you connection is failing with SSMS, then it needs the .NET update. You need the .NET fix from https://support.microsoft.com/en-us/kb/3106993 as SSMS for older releases of SQL Server does not use .NET 4.0. Another option to check if TLS 1.2 connection is working is:1. Verify if the SQL Server database engine starts after disabling all protocols except TLS 1.2. I am assuming this is working based on your comments.2. Install the latest SSMS from https://msdn.microsoft.com/en-us/library/mt238290.aspx and check if that is able to connect to the database engine3. Install the .NET fix that I mentioned above
          • Anonymous
            April 13, 2016
            Hi Amit,We ran the installer again for KB3144114 on our QA database server and again it was successful.This time however, we were able to log in locally and remotely and it looks like everything has gone smoothly this time.This is good of course but a little strange and leaves us in a worrying situation deploying the update to our production cluster nodes.Will update here hopefully after we have deployed out the update successfully :)Thanks for your assistance and feedback. It was very helpful.
            • Anonymous
              April 15, 2016
              Good to know that this is working. Did you check if the update last time had increased the build number of the DLLs and EXEs to the build numbers mentioned in KB3135244. That would be the most sure way to determining if the fixes are applied correctly on the server along with the fact that the installers did not report any errors.
          • Anonymous
            April 13, 2016
            Hi Amit,How do I apply this update to a 2 node cluster? Should the update be applied to the passive node first, if ok is good, fail over from active to passive and then install the update on the new passive node and fail back again?Assuming of course, all goes well with the installations?Thanks,Brian
            • Anonymous
              April 15, 2016
              You will need to follow the same update method and process that you follow with any Service Pack or Cumulative Update.
          • Anonymous
            May 05, 2016
            Hi Amit,Thank you for all your help. To update, we applied KB3144114 to our cluster nodes (in-active nodes first) and all went smoothly.Your help was invaluable.
            • Anonymous
              May 11, 2016
              Great to know that everything worked out for you! :)
  • Anonymous
    April 25, 2016
    Hi Amit,thanks for the post. I have a server with 2012 R2. I installed the SQL Server management studio SP 1 CU6..Net version is 4.5.51650 according to [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\1033]I have the problem that the SQL Server management studio says that the connection was forcibly closed by the remote host.On other servers, when I installed .net 4.6, the issue was resolved.On the particular server, however, I cannot install .Net 4.6.The update which is suggested by https://support.microsoft.com/en-us/kb/3135244 for .Net 4.5.2 cannot be installed on my machine. It says that that version is not applicable to that machine. What else should I do to be able to connect with the SQL Server Management Studio 2014 via TLS 1.2?ThanksKRChris
    • Anonymous
      April 27, 2016
      You need to install "ADO.NET - SqlClient (.NET Framework 3.5/.NET Framework 2.0 SP2)" from KB3135244.
  • Anonymous
    May 17, 2016
    Would this enable TLS support for SSIS (http connection manager in use with a webservice task).We've fully patched SQL for TLS support and are seeing failures with SSIS connecting to a https web service that is only available via TLS 1.1 and 1.2.
    • Anonymous
      May 19, 2016
      So if anyone else has a similar problem, the following registry settings enable TLS 1.1 and 1.2 support by default for the .net framework 4-4.5, which SQL 2012 uses. By adding these the webservice task/http connection manager for SSIS can again connect to a https site that only supports TLS 1.1 or 1.2. For reference this worked with server 2012 running SQL 2012.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319]"SchUseStrongCrypto"=dword:00000001[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319]"SchUseStrongCrypto"=dword:00000001
      • Anonymous
        May 19, 2016
        The comment has been removed
        • Anonymous
          May 27, 2016
          The comment has been removed
          • Anonymous
            May 27, 2016
            The client drivers used to connect to SQL Server and the client tools like SSMS in releases prior to SQL Server 2016 use older versions of .NET (<4.6). You need to install the .NET updates mentioned in KB3135244 for the older client drivers to work with TLS 1.2.
  • Anonymous
    May 27, 2016
    The comment has been removed
    • Anonymous
      May 27, 2016
      For clarification:OS: 2012 w/ .net 4.6.1 framework installed and the registry entries that enable TLS 1.1 and 1.2 for the .net 4.5 framework in place (see previous post above)SQL: Microsoft SQL Server 2012 (SP3-CU2) (KB3137746) - 11.0.6523.0 (X64)
    • Anonymous
      May 27, 2016
      This is a different issue. Please refer to the fixes in the "Additional fixes needed for SQL Server to use TLS 1.2" section added in the post. Database Mail used .NET APIs in older .NET framework versions which did not support TLS 1.2. If you apply the appropriate fix mentioned in the post, then Database Mail should work with TLS 1.2.
      • Anonymous
        May 31, 2016
        Thanks, we installed the KB referenced for this OS and SQL version (KB3154519). The same error occurs when databasemail tries to run. We also have the registry entry in place mentioned in the KB for both 32-bit and 64-bit frameworks.Please advise if we've missed anything to ensure this functions when TLS 1.0 if off at a server level.
        • Anonymous
          May 31, 2016
          The comment has been removed
          • Anonymous
            June 04, 2016
            The comment has been removed
          • Anonymous
            June 04, 2016
            The .NET patch is for the client driver. If you still have concerns about this, please feel to share your contact details using our contact form on http://aka.ms/sqlserverteam and I will get in touch with you.
          • Anonymous
            July 30, 2016
            The comment has been removed
  • Anonymous
    June 23, 2016
    TITLE: Connect to ServerCannot connect to DELL-PC.------------------------------ADDITIONAL INFORMATION:A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) (Microsoft SQL Server, Error: 2)How we can fix an ERROR in SQL SERVER 2008 R2Please ,Give Your Feedback....?
    • Anonymous
      June 23, 2016
      This is quite a generic error. Are you able to ping the machine that is hosting the SQL Server instance? Also, for client connections to be successful using TLS 1.2, then you need to install the client driver updates mentioned in KB31354244: https://support.microsoft.com/en-us/kb/3135244
  • Anonymous
    July 27, 2016
    I have a Windows Server 2008 R2 Standard Service Pack 1 64-bit with Microsoft SQL Server 2008 (SP3) - 10.0.5538.0 (x64) Express Edition w/ Advanced Services. I ran the Service Pack 4 update - SQLServer2008SP4-KB2979596-x64-ENU (KB2979596), Security Update for SQL Server 2008 Service Pack 4 (KB3045311), SP4 TLS 1.2 Update - 490209_intl_x64_zip.exe (KB3144113), and set the registry as follows;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]“DisabledByDefault”=dword:00000000“Enabled”=dword:00000001[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]“DisabledByDefault”=dword:00000001“Enabled”=dword:00000000Now when my IIS app tries to connect to the DB it says it's unavailable. The SQL Active Directory Helper Service, SQL Server Agent, and SQL Server Browser are all disabled and all the options to restart or start are greyed out. I've gone through all of the Issues listed above but most referred me back to KB3144113 which I already applied. Any help would be appreciated.
    • Anonymous
      August 09, 2016
      The comment has been removed
  • Anonymous
    August 04, 2016
    I've installed SP4 for SQL Server 2008, the .NET hotfix for .NET 4.5x, the hotfix for disabling TLS 1.0 and 1.1, the Win 2008 R2 hotfix and my existing Microsoft OLEDB Provider for SQL Server does not work with TLS 1.0 disabled. The SQL Server Native Client 10.0 does work. I'm trying to avoid having to modify a lot of SSIS packages to switch OLEDB drivers. Does the Microsoft OLEDB Provider for SQL Server support TLS 1.2? I get SSL connection failures logged to the event history.
    • Anonymous
      August 09, 2016
      You will need to switch to one of the providers listed in KB3135244.
  • Anonymous
    August 11, 2016
    Is there an audit tool for SSIS packages that will identify the packages that are using this Microsoft driver or some way to identify which packages will fail without disabling TLS 1.0 and seeing what breaks?
    • Anonymous
      August 14, 2016
      You need to check the .NET version and the client drivers installed on the machine which runs the SSIS packages. Once you find the client drivers and the .NET version installed on the machine, you need to install the appropriate patches from KB3135244.
  • Anonymous
    August 31, 2016
    Is there a driver for Oracle that is supported using TLS 1.2 (I don't see one on the list provided above of supported drivers)? After applying the changes I can no longer communicate with Oracle servers using the available drivers in SSIS. All necessary updates have been done and I am not having any issues communicating with other SQL servers that are configured for TLS 1.2.
    • Anonymous
      September 01, 2016
      The drivers for Oracle are provided by Oracle Corporation and their documentation should mention their supportability for TLS 1.2. What is the error that you are receiving and the is the driver version you are using?
  • Anonymous
    September 21, 2016
    The comment has been removed
  • Anonymous
    September 23, 2016
    The comment has been removed
    • Anonymous
      September 23, 2016
      Correction to my comment. It was the client side that was hardened to use only TLS 1.2 and ECDH Key Exchanges, AES Ciphers, All hashes that would create this behavior. We found that if the SQL server was hardened or not we were able to still switch databases in ODBC Administrator.
      • Anonymous
        September 29, 2016
        The comment has been removed
        • Anonymous
          October 03, 2016
          Good to know and thanks for responding! The issue experienced when using ODBC 13 against a SQL instance revealed an inability to switch databases during the ODBC Administrative new DSN setup wizard. This behavior was only noticed with the SQL server was only using the TLS 1.2 protocol, ECDH Key Exchange, AES Ciphers and all hashes under SCHANNELS registry KEYs. Once we default those same settings to OOBE, the issue experienced with database switching is resolved.
        • Anonymous
          October 20, 2016
          Hi.I have TMG 2010 SP2 RU5 with SQL 2008 SP4We disabled the TLS 1.0 .I have applied the Hotfixes and SQL DB and sQL reporting [ISARS] are stating now ok.But i am still getting the following error/eventsevent id : 31288SQL Server Reporting Services could not be configured for Forefront TMG. Restarting the Microsoft Forefront TMG Job Scheduler service may resolve this issue. Reporting Services error information: [DBNETLIB][ConnectionOpen (SECDoClientHandshake()).]SSL Security error.Q. What is missing here.my SQL version are at the following.OS : W2008 R2 SP1, SQL 2008 SP42016-10-18 18:25:41.57 Server Microsoft SQL Server 2008 (SP4-OD) (KB3144113) - 10.0.6547.0 (X64) SQL naticlient etc : 10.4.6547.net : 3.51.net 4.5.2 hotfix rollup KB3099845tmg 2010 alerts :Description: The daily summary for day "10/17/2016" was not created. This may cause the report for this period to be inaccurate. Verify that no priorreporting configuration alerts exist, and that the reporting services on the designated Forefront TMG report server are running and accessible from all the array members. Use the source location 1001.213.7.0.9193.644 to report the failure.
          • Anonymous
            October 21, 2016
            The error message shows that TLS 1.2 is not understood by the driver. Could you please install the client driver updates on the Reporting Services Server and the TMG server to ensure that all SQL connectivity drivers used in the environment support TLS 1.2. Also SQL Server 2008 uses an older version of .NET. You need to the older .NET fixes for the ADO.NET driver. KB3135244 has all the client driver/.NET updates required. Please apply those. If that does not work, please open a support case so that our engineers can help troubleshoot the root cause.
          • Anonymous
            October 24, 2016
            Thanks. But I have applied the required updates. my version is Microsoft SQL Server 2008 (SP4-OD) (KB3144113) - 10.0.6547.0 (X64) Feb 22 2016 19:04:50 Copyright (c) 1988-2008 Microsoft Corporation Express Edition with Advanced Services (64-bit) on Windows NT 6.1 (Build 7601: Service Pack 1) The SQL reporting service is on the same server as TMG 2010 is running it is bundled.following fixes were applied and fixed lot of issues after enabling the tls1.2. The SQL services aer not stating but after installing the fixes all the Services are starting.SQL Server 2008 SP4 TLS 1.2 UpdateHotfix rollup 3099845 for the .NET Framework 4.5.2, 4.5.1, and 4.5 SQL Server Native Client (for SQL Server 2008) [SQL Server 2008 Native Client (x86 and x64)] - 489744Microsoft ODBC Driver 11 for SQL Server - WindowsSupport for TLS v1.2 included in the .NET Framework version 3.5.1KB3154518-x64 Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1----tried to install some updates again it says not applicable or already installed.Windows8.1-KB3106993-x64_2 .net2 hotfix-not applicable.msu Windows8.1-KB3106993-x64 not applicable.msuexample :Product: Microsoft SQL Server 2008 Native Client -- Installation of SQL Server 2008 Native Client failed because a higher version already exists on the machine. To proceed, uninstall the higher version and then run SQL Server 2008 Native Client Setup again.================Below are the pending errors:event id : 30973 Description: The daily summary for day "10/23/2016" was not created. This may cause the report for this period to be inaccurate. Verify that no prior reporting configuration alerts exist, and that the reporting services on the designated Forefront TMG report server are running and accessible from all the array members. Use the source location 1001.105.7.0.9193.644 to report the failure. event id : 31288SQL Server Reporting Services could not be configured for Forefront TMG. Restarting the Microsoft Forefront TMG Job Scheduler service may resolve this issue. Reporting Services error information: [DBNETLIB][ConnectionOpen (SECDoClientHandshake()).]SSL Security error. ==================a case with MS support was opened but the engineer is rooming around the same hotfix things so far since a week now. They got the logs but seems not checked so far.
            • Anonymous
              November 08, 2016
              The comment has been removed
  • Anonymous
    October 18, 2016
    We are having very strange problem with our production cluster after installing SP2, CU1 (5511) on SQL Server 2014. Operation Systems is Windows Server 2012 R2. Every morning we not able to connect to SQL server via SSMS remotely or locally. Error message saying "Connection Timeout Expired. The timeout period elapsed while attempting to consume the pre-login handshake ackhnowledgement. This could be because the pre-login handshake failed or the server was unable to respond back in time" if I try from my PC running SSMS. When I login to server running SQL Server and try connecting a bit different error: "A connection was successfully established with the server, but then an error occurred during the pre-login handshake." All SQL Services seem to be running. TCP, port enabled. Rebooting/restarting the SQL Service resolves the issue and it works smoothly until next morning. Noticed that if I don't do anything everything works fine after a while (in 1 hour max). The problem is only with one node of active-active cluster. Second node works fine. Interchanging the roles in cluster shows that the problem is only with one node. We have identical test cluster environment where everything also works fine. All software versions are identical. I noticed that we have this problem after applying last SQL patch and Windows Security Update. Tried rollback to previous patch level of SQL and Windows with no luck.Any advice on this would be appreciated.
    • Anonymous
      October 21, 2016
      This doesn't look to a TLS 1.2 related issue because if TLS 1.2 connectivity was failing, it should fail always. Troubleshooting this would require analysis of the SQL Server and Windows event logs to start with. I would recommend opening a support case for this so that our engineers can help you troubleshoot this issue.
  • Anonymous
    November 03, 2016
    The comment has been removed
    • Anonymous
      November 07, 2016
      What is the operating system that you are using? Windows Server 2008 and Windows Vista will allow you to install the fix but does not have support for TLS 1.2.
  • Anonymous
    January 09, 2017
    Hello,I have an instance on a windows 10 (previously windows 8.1 but I experienced the same problem on that OS) for which I systematically have to enable FIPS compatible algorithm in my local security policy in order to get a valid connection to my SQL server from ODBC.My SQL instance is an SQL Server Express 2014 SP1 for x86 (version 12.1.14491.0). If I enable FIPS140 compatible algorithms, everything works fine but if I disable it I got a connection failed error ---------------------------Microsoft SQL Server Login---------------------------Connection failed:SQLState: '01000'SQL Server Error: 772[Microsoft][ODBC SQL Server Driver][TCP/IP Sockets]ConnectionOpen (SECDoClientHandshake()).Connection failed:SQLState: '08001'SQL Server Error: 18[Microsoft][ODBC SQL Server Driver][TCP/IP Sockets]SSL Security error---------------------------OK ---------------------------Thanks for any indication that might help to solve this since enabling FIPS140 algorithms might prevent other programs to run correctly (has I have experienced it).
    • Anonymous
      January 10, 2017
      Here are some additional information about my setup, extracted from SQL Server Installation Center -> Tools -> SQL Server features discovery report:Product Instance Instance ID Feature Language Edition Version Clustered ConfiguredMicrosoft SQL Server 2014 MyDB MSSQL12.MyDB Database Engine Services 1033 Express Edition 12.1.4491.0 No YesMicrosoft SQL Server 2014 Management Tools - Basic 1033 Express Edition 12.1.4491.0 No YesMicrosoft SQL Server 2014 Management Tools - Complete 1033 Express Edition 12.1.4491.0 No YesMicrosoft SQL Server 2014 Client Tools Connectivity 1033 Express Edition 12.1.4491.0 No YesMicrosoft SQL Server 2014 Client Tools Backwards Compatibility 1033 Express Edition 12.1.4491.0 No YesMicrosoft SQL Server 2014 Client Tools SDK 1033 Express Edition 12.1.4491.0 No Yes
      • Anonymous
        January 18, 2017
        Could you please check if the registry keys are created appropriately as mentioned in https://support.microsoft.com/en-us/help/3135244/tls-1.2-support-for-microsoft-sql-server
        • Anonymous
          February 09, 2017
          Hello Amit,Sorry for the late reply, indeed, the registery key values are set according the article you mentioned.Is there any possible incompatibilities between the support of TLS 1.2 and implementations that can be achieved to communicate with the SQL database? The application we are trying to migrate makes use of an ADO RecordSet, ADO Connection, ADO Command to establish the link between the application and the SQL Server.
          • Anonymous
            February 09, 2017
            I would check the ODBC client driver versions on both server and client and see if they are updated. The client and server machine need the registry keys. Beyond that I think this would be a good candidate for requiring a support case.
          • Anonymous
            February 15, 2017
            Hello Amit,Thanks for your reply.I did a quick test trying to narrow down the issue here since, indeed, the registery keys have the right values.I try, from the ODBC data source administrator tool to configure datasources with the different drivers connecting to the database while the encryption is enforced on the server itself:- ODBC Driver 11 for SQL Server (2014.120.4491.00) works fine without FIPS activated- SQL Server Native Client 11.0 (2011.110.6518.00) works fine without FIPS- SQL Server Native Client 10.0 (2007.100.2531.00) requires the activation of FIPS- SQL Server (10.00.14393.00) requires FIPS- SQL Native Client (2005.90.3042.00) requires FIPS.After discussing with the developer in charge of this application, it seems that he does not know for sure which driver is called, though he knows he still makes use of the MSAD026.tlb based library to handle the communication with the database engine. I think the problem must lie somewhere here and that this needs to be changed to ADO.NET to fix the problem. Thanks for your answers though!Regards,Francois
            • Anonymous
              February 16, 2017
              The comment has been removed
  • Anonymous
    January 18, 2017
    I'm trying to download the patch from the download link (below). It appears the hotfixes all versions are returning "This page doesn't exist. Try searching for what you need". The CU links work fine. I am particularly after the patch for 2008 R2 (10.50.6542), I checked the Microsoft Update Catalog but could not find it. Any ideas? Thank youhttps://support.microsoft.com/en-au/help/3135244/tls-1.2-support-for-microsoft-sql-server
    • Anonymous
      January 23, 2017
      Thanks for reporting this issue. We are looking into this issue.
      • Anonymous
        January 25, 2017
        Any word on when these links will be restored? I'm trying to download for SQL Server 2008 sp4. Thanks.
        • Anonymous
          January 26, 2017
          The links have been restored. Please let us know if you have issues with accessing them.
  • Anonymous
    January 26, 2017
    I need "SQL Server 2008 SP4 TLS 1.2 Update" but the link is not working, could you please reactivate download of the fix?
    • Anonymous
      January 26, 2017
      The links have been activated. Sorry about the inconvenience.
      • Anonymous
        March 24, 2017
        I cannot download the TLS update of SQL Server 2008 R2 too. Can you help check the link? Thanks a lot.
        • Anonymous
          March 24, 2017
          I am able to get to the download link. What is the error that you are getting?
          • Anonymous
            March 26, 2017
            Thanks Amit. It was my browser or proxy server error. I can download it with another browser.
  • Anonymous
    January 27, 2017
    I need to download also "SQL Server 2008 Native Client (x86 and x64)" but the link is not working, could you reactivate this link too?Best regards
    • Anonymous
      January 27, 2017
      The link is active and working. Here it is: https://support.microsoft.com/en-us/hotfix/kbhotfix?kbnum=3098869&kbln=en-us
      • Anonymous
        January 31, 2017
        Could you please tell me if this link is still active? https://github.com/Microsoft/tigertoolbox/tree/master/tls1.2This tool helps us to identify what all updates that i require instead me searching manually?
        • Anonymous
          January 31, 2017
          Yes, the link is active. This PowerShell script tells you whether the SQL Native Client and ODBC Driver need to be updated.
          • Anonymous
            May 19, 2017
            The script tells me I do not need to update SQL, but we are on SQL 2008 R2 SP2 (10.50.4000 when confirming via @@version), but it's reading 10.52.4000 in the script. Can you please advise? We restricted to TLS1.2 successfully for IIS server communicating to the SQL server, but are encountering issues with another IIS server that also has SSRS (all on Windows 2008 R2). IIS works, SSRS does not. Applied ADO.NET hotfix as instructed, and SSRS still fails. Trying to determine best path forward. Can you advise?
            • Anonymous
              January 28, 2018
              Looks like the script is not checking the version correctly. We will look into it. If your build number is 4000, then you need the database engine update as well if you want to use TLS 1.2.
      • Anonymous
        September 19, 2017
        Link is dead.
        • Anonymous
          September 26, 2017
          I just tested, it's online.
  • Anonymous
    February 24, 2017
    The comment has been removed
    • Anonymous
      March 09, 2017
      Did you apply any registry policies which would enable this or any recent updates? TLS 1.2 might be enabled for internet traffic already on the server. Could you check the WinHttp settings?
      • Anonymous
        March 14, 2017
        The comment has been removed
        • Anonymous
          March 24, 2017
          We would need to look into the server to determine while correlating that with the change log on the server.
          • Anonymous
            April 04, 2017
            The comment has been removed
            • Anonymous
              January 28, 2018
              I would recommend to work with Microsoft Support or Microsoft Services to complete the due diligence. While the list looks to cover a number of items, it is difficult for me to tell you if this covers your complete environment or not without having the necessary context about your environment.
  • Anonymous
    April 21, 2017
    Using SQL Server 2012 SP3 SSRS on Windows 2008 R2 SP1 with .NET Framework 4.6. Report Manager and Report Service are installed on web server and Reports and ReportsTemp DB's on SQL server. Using custom app to display reports. Trying to disable TLS 1.0 on web server. App consumes Report Service and displays reports fine. Can browse to Report Service. SSMS is able to connect to Reporting Services on web server and databases on SQL server. Problem is with browsing to Report Manager on web server. Receive "Error The underlying connection was closed: An unexpected error occurred on a receive." error on Report Manager Home page, "System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm" error in the ReportServerService log and the following 15 entries in the System event log for the next 25 seconds after the request: "Source: SChannel EventID: 36871 Level: Error - A fatal error occurred while creating an SSL client credential. The internal error state is 10013.". I am duplicating this condition on at least two identical web servers configured the same. I have PCT 1.0, SSL 2.0, SSL 3.0, and TLS 1.0 DisabledByDefault=1 and Enabled=0 and TLS 1.1, TLS 1.2 DisabledByDefault=0 and Enabled=1 for both Client and Server in registry; downloaded and installed SP3 CU1 and all updates and client drivers including ,NET and ODBC that would run and still receiving error. Have read all articles and blogs I can find and have not found anything that sounds similar since SSMS and Report Server Service are working. Not sure what to try next. Any suggestions would be greatly appreciated.
  • Anonymous
    July 28, 2017
    The comment has been removed
    • Anonymous
      January 28, 2018
      The comment has been removed
  • Anonymous
    August 05, 2017
    The comment has been removed
    • Anonymous
      January 28, 2018
      I believe you were trying to connect with the SQL OLEDB driver which does not support TLS 1.2. If you want to use that, then you need to enable TLS 1.0 so that the driver will work with the application.
  • Anonymous
    December 28, 2017
    The comment has been removed
    • Anonymous
      January 28, 2018
      What is the provider that you are using to connect? If this is an older provider which is not available in the driver list mentioned in our KB article, then it will not work. If you are using the default drivers, then I would recommend applying the driver updates on both the source and target machines. If the issue still persists, please work with Microsoft Support to resolve the issue.