Comprehensive data protection for all workloads
Post Reply
vsousa
Lurker
Posts: 2
Liked: never
Joined: Jul 10, 2018 7:20 pm
Full Name: Vincent Sousa
Contact:

[RESOLVED] SQL Server processing with TLS 1.2

Post by vsousa »

I was working with a Veeam support rep and when TLS 1.0 is disabled on server 2016 the following warning is generated on the veeam backup server.

Code: Select all

Failed to truncate Microsoft SQL Server transaction logs. Details: Failed to process 'TruncateSQLLog' command. Failed to truncate SQL server transaction logs for instances: . See guest helper log.
When I enable TLS 1.0 the backup completes successfully.
The veeam support rep advised to make the following changes in the registry which I did and the backup still throws the same warning.

Code: Select all

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\Enabled
I also tried setting up a UDL file test with TLS 1.0 enabled and it connects fine. When I enable TLS 1.2 and disable TLS 1.0 I get the following error:

Code: Select all

Test connection failed because of an error in initializing provider. SSL Security error.
The Veeam support rep basically said contact Microsoft. So, does Veeam backup work when TLS 1.0 is diabled?
PTide
Product Manager
Posts: 6408
Liked: 724 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Veeam Support - Case # 03085255

Post by PTide »

Hi,

Please try adding UseSqlNativeClientProvider 1 DWORD on the processed VM in the HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\ registry leaf.

Thanks
Gostev
Chief Product Officer
Posts: 31459
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam Support - Case # 03085255

Post by Gostev »

This is mostly about preparing the SQL Server itself for working with TLS 1.2.

If OLE DB on the SQL Server is fully patched and supports TLS 1.2, then it will just work. The easiest way to verify the compatibility is to perform "UDL test" (Google for this string).

Otherwise, if your installation is not compatible with TLS 1.2, than the workaround is to use another SQL client instead, as PTide already mentioned.
vsousa
Lurker
Posts: 2
Liked: never
Joined: Jul 10, 2018 7:20 pm
Full Name: Vincent Sousa
Contact:

Re: Veeam Support - Case # 03085255

Post by vsousa »

Thank you PTide. Adding that registry setting seemed to resolve the issue on that 1 server. Now I just have to make the change on the other servers.
VanillaMastermind
Enthusiast
Posts: 37
Liked: 7 times
Joined: Nov 23, 2015 4:47 pm
Full Name: VanillaMastermind
Contact:

[MERGED] How to enable backups of SQL Server over TLS 1.2

Post by VanillaMastermind »

We are trying to discontinue the use of TLS 1.0 and move to TLS 1.2 for tighter security. I have all SQL Servers patched to the newest levels. SQL backups work fine on TLS 1.0 machines, but machines that have TLS 1.0 disabled (thereby using TLS 1.2 instead), fail with the message

Code: Select all

Failed to backup SQL Server instance databases: Code = 0x80004005 Code meaning = Unspecified error Source = Microsoft OLE DB Provider for SQL Server Description = [DBNETLIB][ConnectionOpen (SECDoClientHandshake()).]SSL Security error. COM error: Code: 0x80004005
If I re-enable TLS 1.0 by making the following registry change, backups work okay.

Code: Select all

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\Enabled = 1
From the many forum posts I read, it seems that everyone is sticking with TLS 1.0, which is not the greatest idea. Does Veeam B&R not work properly with TLS 1.2? Do I just need to update SQL Server provider(s) on the Veeam B&R server? What is the proper way to do this? I want to do this safely without breaking communications to older machines still using TLS 1.0.
nmdange
Veteran
Posts: 527
Liked: 142 times
Joined: Aug 20, 2015 9:30 pm
Contact:

Re: How to enable backups of SQL Server over TLS 1.2

Post by nmdange »

I haven't tested this, but check this KB article to make sure you are using a version of SQL Server and a version of the client software that supports TLS 1.2
https://support.microsoft.com/en-us/hel ... sql-server
VanillaMastermind
Enthusiast
Posts: 37
Liked: 7 times
Joined: Nov 23, 2015 4:47 pm
Full Name: VanillaMastermind
Contact:

Re: SQL Server processing with TLS 1.2

Post by VanillaMastermind »

I am reverting back to TLS 1.0 for now until Veeam support has clear directions on how to get TLS 1.2 working, if it's even possible.
Gostev
Chief Product Officer
Posts: 31459
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: SQL Server processing with TLS 1.2

Post by Gostev »

Did you read our posts above?
VanillaMastermind
Enthusiast
Posts: 37
Liked: 7 times
Joined: Nov 23, 2015 4:47 pm
Full Name: VanillaMastermind
Contact:

Re: SQL Server processing with TLS 1.2

Post by VanillaMastermind » 1 person likes this post

VanillaMastermind wrote:I am reverting back to TLS 1.0 for now until Veeam support has clear directions on how to get TLS 1.2 working, if it's even possible.
SOLVED

After making the following change in the registry on each processed VM running SQL Server with TLS 1.0 disabled, backups started working:

Add a new DWORD called "UseSqlNativeClientProvider" with a value of 1 to the node "HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\"
AUmonroe
Influencer
Posts: 11
Liked: never
Joined: Sep 26, 2018 7:37 pm
Full Name: AUmonroe
Contact:

Re: SQL Server processing with TLS 1.2

Post by AUmonroe »

I have run into this same issue on my VM's and the above suggestion by VanillaMastermind did the trick. However, I am now having the issue with a physical server, does anyone know the correct place in the registry to mitigate this problem, as "HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\" does not exist on systems managed by the Veeam Agent. I have done some research and came up blank.

TIA!
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: SQL Server processing with TLS 1.2

Post by foggy » 1 person likes this post

Try placing it in HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Endpoint Backup.
AUmonroe
Influencer
Posts: 11
Liked: never
Joined: Sep 26, 2018 7:37 pm
Full Name: AUmonroe
Contact:

Re: SQL Server processing with TLS 1.2

Post by AUmonroe »

Foggy, that did the trick.. thanks!
geraldsskill
Lurker
Posts: 1
Liked: 2 times
Joined: Dec 03, 2018 7:59 am
Contact:

Re: SQL Server processing with TLS 1.2

Post by geraldsskill » 2 people like this post

In case anyone else was struggling with this, even after applying the suggested registry key:
I was getting the SSL error on VMs that were running SQL Server after having disabled TLS 1.0 throughout our domain, so I tried creating the UseSqlNativeClientProvider registry key under Veeam Backup and Replication - since it's a VM backup, that's the expected place, right? Well, it didn't help. So I took a look at the Veeam Endpoint Backup and noticed a bunch of info about our backup server recorded in there and figured I might as well try creating the UseSqlNativeClientProvider key in there. Success! No more SSL error.
doktornotor
Enthusiast
Posts: 94
Liked: 29 times
Joined: Mar 07, 2018 12:57 pm
Contact:

Re: Veeam Support - Case # 03085255

Post by doktornotor » 2 people like this post

Adding OLE DB 18 download link here: https://www.microsoft.com/en-us/downloa ... x?id=56730
And the release announcement: https://blogs.msdn.microsoft.com/sqlrel ... ql-server/

The above is required for TLS 1.2 support. The legacy OLE DB drivers bundled with Windows do not (and will not) support TLS 1.2.
chrisrickert
Lurker
Posts: 1
Liked: never
Joined: Jun 14, 2019 8:15 pm
Full Name: Chris Rickert
Contact:

Re: [Resolved] SQL Server processing with TLS 1.2

Post by chrisrickert »

In this case, does one install the new OLE DB 18 driver on the Veeam Server or the SQL server?
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: [Resolved] SQL Server processing with TLS 1.2

Post by foggy »

On the SQL Server.
hbshks
Lurker
Posts: 1
Liked: never
Joined: Jul 07, 2015 8:29 am
Contact:

Re: [Resolved] SQL Server processing with TLS 1.2

Post by hbshks »

Do I need this new OLE DB 18 driver, even if we don't use OLE for our SQL processing. Does Veeam use OLE DB driver?
Gostev
Chief Product Officer
Posts: 31459
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: [RESOLVED] SQL Server processing with TLS 1.2

Post by Gostev »

Yes.
Gostev
Chief Product Officer
Posts: 31459
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: [RESOLVED] SQL Server processing with TLS 1.2

Post by Gostev »

After further investigations, Veeam is currently using SQLOLEDB provider, so installing MSOLEDBSQL provider will make no difference. We plan to address this post-v10. Thanks!
jwerner
Lurker
Posts: 1
Liked: never
Joined: Jan 15, 2020 1:48 pm
Contact:

Re: [RESOLVED] SQL Server processing with TLS 1.2

Post by jwerner »

Hi, are there any news about SQLOLEDB/MSOLEDBSQL functionality for post-v10? Thanks!
ChrisGundry
Veteran
Posts: 258
Liked: 40 times
Joined: Aug 26, 2015 2:56 pm
Full Name: Chris Gundry
Contact:

Re: [RESOLVED] SQL Server processing with TLS 1.2

Post by ChrisGundry »

Also interested to know if there is an update on this issue? We disabled TLS1.0/1.1 today and found that Veeam SQL backups started to fail. We have applied the registry tweak, which has worked around the issue. But we don't fully understand what the registry setting has changed. Ideally we don't want to be deploying registry settings to all of our SQL servers and it is something that will not be remembered when new SQL servers are deployed. There should really be a KB about this with the full info Veeam, the only KBs I could find related to disabling 1.0/1.1 did not relate or address this issue...
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: [RESOLVED] SQL Server processing with TLS 1.2

Post by foggy »

In one of the following updates, we're going to switch to using MSOLEDBSQL as the default (as it comes with the new SQL versions).

Currently, you can use the registry value to force Veeam to use the 'Native SQL Client Provider' instead of SQLOLEDB. Here's the KB article regarding this.
Post Reply

Who is online

Users browsing this forum: B.F., rweis and 255 guests