Microsoft Knowledge Base Email Alertz
All KB/RSS Links  |  Hot Kb!  |  New Kb!  |  Scott Cate  |  FAQ / KB  |  Web Hosting  |  Unsubscribe  

(839617) - Discusses that if you specify e-mail details during server certificate creation on SQL Server computer and enable SSL encryption on SQL Server client, connections to SQL Server may fail. To work around, enable SSL encryption on SQL Server instance.

Search KbAlertz

Advanced Search

Receive Microsoft Knowledge Base articles by E-Mail?

Every night we scan the Microsoft Knowledge Base. If technologies you're interested in are updated, we'll send you an e-mail. You only get one e-mail a day, and only when new articles are added.
Click here to create a
FREE account
Already have an account?
[Click here to Login]











Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks
Article ID: 839617 - Last Review: March 20, 2007 - Revision: 2.3

BUG: You cannot connect to an instance of SQL Server on a server computer after you turn on SSL encryption on the SQL Server client computer

View products that this article applies to.

SYMPTOMS

When you enable Secure Sockets Layer (SSL) encryption by turning on the Force protocol encryption option on the Microsoft SQL Server client computer, and you try to connect to an instance of SQL Server on a server computer, you may not be able to connect to that instance of SQL Server. Additionally, you may receive the following error message:
Error 0x800b010f (CERT_E_CN_NO_MATCH) returned by CertVerifyCertificateChainPolicy!
[12:52:31.555] ConnectionOpen(Supersock): FAILed in SECDoClientHandshake, Error 0x800b010f
Note You can set the Force protocol encryption option by using the Client Network Utility on the SQL Server client computer.

This problem may occur if the following conditions are true:
  • A server authentication certificate is installed on the server computer that is running SQL Server.
  • The subject string of the server authentication certificate includes e-mail address information. The subject string may appear similar to the following:
                    CN = <Fully Qualified Domain Name>
                OU = <Organization Unit>
                O = <Organization>
                L = <Location>
                S = <State>
                C = <Country>
                E = xyz@microsoft.com
  • The CN is not at the end of the subject of the server authentication certificate.
  • Multiple CNs are in the subject of the server authentication certificate.
Back to the top

WORKAROUND

To work around this problem, turn off SSL encryption on the SQL Server client computer, and then turn on SSL encryption on the SQL Server server computer. To turn on the Force protocol encryption option on the SQL Server server computer, use the Server Network Utility. To do this, follow these steps.

Note Do not turn on the Force protocol encryption option on both the SQL Server client computer and the SQL Server server computer.
  1. Start Server Network Utility.
  2. In the Server Network Utility dialog box, click the General tab.
  3. On the General tab, click Force protocol encryption.
  4. Click OK.
Warning If you turn on SSL encryption on the server computer that is running SQL server, all the SQL Server client computers must connect to the SQL Server server computer by using SSL encryption.
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top

REFERENCES

For more information about SSL encryption, visit the following Microsoft Developer Network (MSDN) Web site:
http://msdn2.microsoft.com/en-us/library/aa174508(SQL.80).aspx (http://msdn2.microsoft.com/en-us/library/aa174508(SQL.80).aspx)
For more information about SSL encryption and SQL Server, click the following article number to view the article in the Microsoft Knowledge Base:
318605  (http://kbalertz.com/Feedback.aspx?kbNumber=318605/ ) How SQL Server uses a certificate when the Force Protocol Encryption option is set on
For more information about other SQL Server connectivity issues when SSL encryption is turned on, click the following article numbers to view the articles in the Microsoft Knowledge Base:
316779  (http://kbalertz.com/Feedback.aspx?kbNumber=316779/ ) Clients with Force Protocol Encryption set on may fail to connect with an IP address
322144  (http://kbalertz.com/Feedback.aspx?kbNumber=322144/ ) FIX: SECDoClientHandShake cannot connect to SQL Server
309398  (http://kbalertz.com/Feedback.aspx?kbNumber=309398/ ) SQL Server 2000 installation or local connections fail with "SSL Security error :ConnectionOpen (SECDoClientHandshake())" error message
Back to the top
APPLIES TO
  • Microsoft SQL Server 2000 Standard Edition
Back to the top
Keywords: 
kbqfe kbfix kbcertservices kbenable kbemail kbconnectivity kbsqlclient kbserver kbclientserver kberrmsg kbbug KB839617
Back to the top
        

Community Feedback System

Very often, it takes hours to solve a problem. Very often, you've looked high and low, and have tried a lot of solutions. When you finally found it, chances are, it was because someone else helped you. Here's your chance to give back. Use our community feedback tool to let others know what worked for you and what didn't.

Please also understand that the community feedback system is not warranted to be correct, it's simply a system that we've built to let people try and help each other. If something in a feedback response doesn't make sense to you, or you're not comfortable making changes that the feedback talks about (like registry edits), please consult a professional.

Thank you for using kbAlertz.com Feedback System.

-- Scott Cate

Copyright © 2002-2007 KBALERTZ.COM.  All Rights Reserved. Terms / PrivacyDiscount ASP.NET Hosting