Microsoft KB Archive/839617

From BetaArchive Wiki
Knowledge Base


BUG: You cannot connect to an instance of SQL Server on a server computer after you turn on SSL encryption on the SQL Server client computer

Article ID: 839617

Article Last Modified on 3/20/2007


APPLIES TO

  • Microsoft SQL Server 2000 Standard Edition



SYMPTOMS

When you enable Secure Sockets Layer (SSL) encryption by turning on the Force protocol encryption option on the Microsoft SQL Server client computer, and you try to connect to an instance of SQL Server on a server computer, you may not be able to connect to that instance of SQL Server. Additionally, you may receive the following error message:

Error 0x800b010f (CERT_E_CN_NO_MATCH) returned by CertVerifyCertificateChainPolicy!
[12:52:31.555] ConnectionOpen(Supersock): FAILed in SECDoClientHandshake, Error 0x800b010f

Note You can set the Force protocol encryption option by using the Client Network Utility on the SQL Server client computer.

This problem may occur if the following conditions are true:

  • A server authentication certificate is installed on the server computer that is running SQL Server.

  • The subject string of the server authentication certificate includes e-mail address information. The subject string may appear similar to the following:

                    CN = <Fully Qualified Domain Name>
                OU = <Organization Unit>
                O = <Organization>
                L = <Location>
                S = <State>
                C = <Country>
                E = xyz@microsoft.com
  • The CN is not at the end of the subject of the server authentication certificate.
  • Multiple CNs are in the subject of the server authentication certificate.


WORKAROUND

To work around this problem, turn off SSL encryption on the SQL Server client computer, and then turn on SSL encryption on the SQL Server server computer. To turn on the Force protocol encryption option on the SQL Server server computer, use the Server Network Utility. To do this, follow these steps.

Note Do not turn on the Force protocol encryption option on both the SQL Server client computer and the SQL Server server computer.

  1. Start Server Network Utility.
  2. In the Server Network Utility dialog box, click the General tab.
  3. On the General tab, click Force protocol encryption.
  4. Click OK.

Warning If you turn on SSL encryption on the server computer that is running SQL server, all the SQL Server client computers must connect to the SQL Server server computer by using SSL encryption.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

REFERENCES

For more information about SSL encryption, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn2.microsoft.com/en-us/library/aa174508(SQL.80).aspx


For more information about SSL encryption and SQL Server, click the following article number to view the article in the Microsoft Knowledge Base:

318605 How SQL Server uses a certificate when the Force Protocol Encryption option is set on


For more information about other SQL Server connectivity issues when SSL encryption is turned on, click the following article numbers to view the articles in the Microsoft Knowledge Base:

316779 Clients with Force Protocol Encryption set on may fail to connect with an IP address


322144 FIX: SECDoClientHandShake cannot connect to SQL Server


309398 SQL Server 2000 installation or local connections fail with "SSL Security error :ConnectionOpen (SECDoClientHandshake())" error message



Additional query words: ssl sql client force protocol encryption

Keywords: kbqfe kbfix kbcertservices kbenable kbemail kbconnectivity kbsqlclient kbserver kbclientserver kberrmsg kbbug KB839617



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/839617&oldid=334231
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki