[RESOLVED] SQL Server processing with TLS 1.2

[vsousa]

I was working with a Veeam support rep and when TLS 1.0 is disabled on server 2016 the following warning is generated on the veeam backup server.

Code: Select all

Failed to truncate Microsoft SQL Server transaction logs. Details: Failed to process 'TruncateSQLLog' command. Failed to truncate SQL server transaction logs for instances: . See guest helper log.

When I enable TLS 1.0 the backup completes successfully.
The veeam support rep advised to make the following changes in the registry which I did and the backup still throws the same warning.

Code: Select all

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\Enabled

I also tried setting up a UDL file test with TLS 1.0 enabled and it connects fine. When I enable TLS 1.2 and disable TLS 1.0 I get the following error:

Code: Select all

Test connection failed because of an error in initializing provider. SSL Security error.

The Veeam support rep basically said contact Microsoft. So, does Veeam backup work when TLS 1.0 is diabled?

[PTide]

Hi,

Please try adding UseSqlNativeClientProvider 1 DWORD on the processed VM in the HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\ registry leaf.

Thanks

[Gostev]

This is mostly about preparing the SQL Server itself for working with TLS 1.2.

If OLE DB on the SQL Server is fully patched and supports TLS 1.2, then it will just work. The easiest way to verify the compatibility is to perform "UDL test" (Google for this string).

Otherwise, if your installation is not compatible with TLS 1.2, than the workaround is to use another SQL client instead, as PTide already mentioned.

[vsousa]

Thank you PTide. Adding that registry setting seemed to resolve the issue on that 1 server. Now I just have to make the change on the other servers.

[VanillaMastermind]

We are trying to discontinue the use of TLS 1.0 and move to TLS 1.2 for tighter security. I have all SQL Servers patched to the newest levels. SQL backups work fine on TLS 1.0 machines, but machines that have TLS 1.0 disabled (thereby using TLS 1.2 instead), fail with the message

Code: Select all

Failed to backup SQL Server instance databases: Code = 0x80004005 Code meaning = Unspecified error Source = Microsoft OLE DB Provider for SQL Server Description = [DBNETLIB][ConnectionOpen (SECDoClientHandshake()).]SSL Security error. COM error: Code: 0x80004005

If I re-enable TLS 1.0 by making the following registry change, backups work okay.

Code: Select all

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\Enabled = 1

From the many forum posts I read, it seems that everyone is sticking with TLS 1.0, which is not the greatest idea. Does Veeam B&R not work properly with TLS 1.2? Do I just need to update SQL Server provider(s) on the Veeam B&R server? What is the proper way to do this? I want to do this safely without breaking communications to older machines still using TLS 1.0.

[nmdange]

I haven't tested this, but check this KB article to make sure you are using a version of SQL Server and a version of the client software that supports TLS 1.2
https://support.microsoft.com/en-us/hel ... sql-server

[VanillaMastermind]

I am reverting back to TLS 1.0 for now until Veeam support has clear directions on how to get TLS 1.2 working, if it's even possible.

[Gostev]

Did you read our posts above?

[VanillaMastermind]

I am reverting back to TLS 1.0 for now until Veeam support has clear directions on how to get TLS 1.2 working, if it's even possible.

SOLVED

After making the following change in the registry on each processed VM running SQL Server with TLS 1.0 disabled, backups started working:

Add a new DWORD called "UseSqlNativeClientProvider" with a value of 1 to the node "HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\"

[AUmonroe]

I have run into this same issue on my VM's and the above suggestion by VanillaMastermind did the trick. However, I am now having the issue with a physical server, does anyone know the correct place in the registry to mitigate this problem, as "HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\" does not exist on systems managed by the Veeam Agent. I have done some research and came up blank.

TIA!

[foggy]

Try placing it in HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Endpoint Backup.

[AUmonroe]

Foggy, that did the trick.. thanks!

[geraldsskill]

In case anyone else was struggling with this, even after applying the suggested registry key:
I was getting the SSL error on VMs that were running SQL Server after having disabled TLS 1.0 throughout our domain, so I tried creating the UseSqlNativeClientProvider registry key under Veeam Backup and Replication - since it's a VM backup, that's the expected place, right? Well, it didn't help. So I took a look at the Veeam Endpoint Backup and noticed a bunch of info about our backup server recorded in there and figured I might as well try creating the UseSqlNativeClientProvider key in there. Success! No more SSL error.

[doktornotor]

Adding OLE DB 18 download link here: https://www.microsoft.com/en-us/downloa ... x?id=56730
And the release announcement: https://blogs.msdn.microsoft.com/sqlrel ... ql-server/

The above is required for TLS 1.2 support. The legacy OLE DB drivers bundled with Windows do not (and will not) support TLS 1.2.

[chrisrickert]

In this case, does one install the new OLE DB 18 driver on the Veeam Server or the SQL server?

[foggy]

On the SQL Server.

[hbshks]

Do I need this new OLE DB 18 driver, even if we don't use OLE for our SQL processing. Does Veeam use OLE DB driver?

[Gostev]

Yes.

[Gostev]

After further investigations, Veeam is currently using SQLOLEDB provider, so installing MSOLEDBSQL provider will make no difference. We plan to address this post-v10. Thanks!

[jwerner]

Hi, are there any news about SQLOLEDB/MSOLEDBSQL functionality for post-v10? Thanks!

[ChrisGundry]

Also interested to know if there is an update on this issue? We disabled TLS1.0/1.1 today and found that Veeam SQL backups started to fail. We have applied the registry tweak, which has worked around the issue. But we don't fully understand what the registry setting has changed. Ideally we don't want to be deploying registry settings to all of our SQL servers and it is something that will not be remembered when new SQL servers are deployed. There should really be a KB about this with the full info Veeam, the only KBs I could find related to disabling 1.0/1.1 did not relate or address this issue...

[foggy]

In one of the following updates, we're going to switch to using MSOLEDBSQL as the default (as it comes with the new SQL versions).

Currently, you can use the registry value to force Veeam to use the 'Native SQL Client Provider' instead of SQLOLEDB. Here's the KB article regarding this.