Availability for the Always-On Enterprise
Post Reply
vsousa
Lurker
Posts: 2
Liked: never
Joined: Jul 10, 2018 7:20 pm
Full Name: Vincent Sousa
Contact:

[Resolved] SQL Server processing with TLS 1.2

Post by vsousa » Jul 10, 2018 7:39 pm

I was working with a Veeam support rep and when TLS 1.0 is disabled on server 2016 the following warning is generated on the veeam backup server.

Code: Select all

Failed to truncate Microsoft SQL Server transaction logs. Details: Failed to process 'TruncateSQLLog' command. Failed to truncate SQL server transaction logs for instances: . See guest helper log.
When I enable TLS 1.0 the backup completes successfully.
The veeam support rep advised to make the following changes in the registry which I did and the backup still throws the same warning.

Code: Select all

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\Enabled
I also tried setting up a UDL file test with TLS 1.0 enabled and it connects fine. When I enable TLS 1.2 and disable TLS 1.0 I get the following error:

Code: Select all

Test connection failed because of an error in initializing provider. SSL Security error.
The Veeam support rep basically said contact Microsoft. So, does Veeam backup work when TLS 1.0 is diabled?

PTide
Veeam Software
Posts: 4570
Liked: 375 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Veeam Support - Case # 03085255

Post by PTide » Jul 10, 2018 9:11 pm

Hi,

Please try adding UseSqlNativeClientProvider 1 DWORD on the processed VM in the HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\ registry leaf.

Thanks

Gostev
Veeam Software
Posts: 23215
Liked: 2977 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam Support - Case # 03085255

Post by Gostev » Jul 11, 2018 11:38 am

This is mostly about preparing the SQL Server itself for working with TLS 1.2.

If OLE DB on the SQL Server is fully patched and supports TLS 1.2, then it will just work. The easiest way to verify the compatibility is to perform "UDL test" (Google for this string).

Otherwise, if your installation is not compatible with TLS 1.2, than the workaround is to use another SQL client instead, as PTide already mentioned.

vsousa
Lurker
Posts: 2
Liked: never
Joined: Jul 10, 2018 7:20 pm
Full Name: Vincent Sousa
Contact:

Re: Veeam Support - Case # 03085255

Post by vsousa » Jul 11, 2018 3:02 pm

Thank you PTide. Adding that registry setting seemed to resolve the issue on that 1 server. Now I just have to make the change on the other servers.

VanillaMastermind
Enthusiast
Posts: 37
Liked: 6 times
Joined: Nov 23, 2015 4:47 pm
Full Name: VanillaMastermind
Contact:

[MERGED] How to enable backups of SQL Server over TLS 1.2

Post by VanillaMastermind » Aug 06, 2018 1:16 pm

We are trying to discontinue the use of TLS 1.0 and move to TLS 1.2 for tighter security. I have all SQL Servers patched to the newest levels. SQL backups work fine on TLS 1.0 machines, but machines that have TLS 1.0 disabled (thereby using TLS 1.2 instead), fail with the message

Code: Select all

Failed to backup SQL Server instance databases: Code = 0x80004005 Code meaning = Unspecified error Source = Microsoft OLE DB Provider for SQL Server Description = [DBNETLIB][ConnectionOpen (SECDoClientHandshake()).]SSL Security error. COM error: Code: 0x80004005
If I re-enable TLS 1.0 by making the following registry change, backups work okay.

Code: Select all

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\Enabled = 1
From the many forum posts I read, it seems that everyone is sticking with TLS 1.0, which is not the greatest idea. Does Veeam B&R not work properly with TLS 1.2? Do I just need to update SQL Server provider(s) on the Veeam B&R server? What is the proper way to do this? I want to do this safely without breaking communications to older machines still using TLS 1.0.

nmdange
Expert
Posts: 371
Liked: 85 times
Joined: Aug 20, 2015 9:30 pm
Contact:

Re: How to enable backups of SQL Server over TLS 1.2

Post by nmdange » Aug 06, 2018 5:43 pm

I haven't tested this, but check this KB article to make sure you are using a version of SQL Server and a version of the client software that supports TLS 1.2
https://support.microsoft.com/en-us/hel ... sql-server

VanillaMastermind
Enthusiast
Posts: 37
Liked: 6 times
Joined: Nov 23, 2015 4:47 pm
Full Name: VanillaMastermind
Contact:

Re: SQL Server processing with TLS 1.2

Post by VanillaMastermind » Aug 10, 2018 1:11 pm

I am reverting back to TLS 1.0 for now until Veeam support has clear directions on how to get TLS 1.2 working, if it's even possible.

Gostev
Veeam Software
Posts: 23215
Liked: 2977 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: SQL Server processing with TLS 1.2

Post by Gostev » Aug 10, 2018 3:52 pm

Did you read our posts above?

VanillaMastermind
Enthusiast
Posts: 37
Liked: 6 times
Joined: Nov 23, 2015 4:47 pm
Full Name: VanillaMastermind
Contact:

Re: SQL Server processing with TLS 1.2

Post by VanillaMastermind » Aug 14, 2018 5:22 pm 1 person likes this post

VanillaMastermind wrote:I am reverting back to TLS 1.0 for now until Veeam support has clear directions on how to get TLS 1.2 working, if it's even possible.
SOLVED

After making the following change in the registry on each processed VM running SQL Server with TLS 1.0 disabled, backups started working:

Add a new DWORD called "UseSqlNativeClientProvider" with a value of 1 to the node "HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\"

AUmonroe
Novice
Posts: 9
Liked: never
Joined: Sep 26, 2018 7:37 pm
Full Name: AUmonroe
Contact:

Re: SQL Server processing with TLS 1.2

Post by AUmonroe » Sep 26, 2018 7:44 pm

I have run into this same issue on my VM's and the above suggestion by VanillaMastermind did the trick. However, I am now having the issue with a physical server, does anyone know the correct place in the registry to mitigate this problem, as "HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\" does not exist on systems managed by the Veeam Agent. I have done some research and came up blank.

TIA!

foggy
Veeam Software
Posts: 17126
Liked: 1401 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: SQL Server processing with TLS 1.2

Post by foggy » Sep 27, 2018 3:55 pm 1 person likes this post

Try placing it in HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Endpoint Backup.

AUmonroe
Novice
Posts: 9
Liked: never
Joined: Sep 26, 2018 7:37 pm
Full Name: AUmonroe
Contact:

Re: SQL Server processing with TLS 1.2

Post by AUmonroe » Sep 28, 2018 8:46 pm

Foggy, that did the trick.. thanks!

geraldsskill
Lurker
Posts: 1
Liked: 2 times
Joined: Dec 03, 2018 7:59 am
Contact:

Re: SQL Server processing with TLS 1.2

Post by geraldsskill » Dec 03, 2018 8:06 am 2 people like this post

In case anyone else was struggling with this, even after applying the suggested registry key:
I was getting the SSL error on VMs that were running SQL Server after having disabled TLS 1.0 throughout our domain, so I tried creating the UseSqlNativeClientProvider registry key under Veeam Backup and Replication - since it's a VM backup, that's the expected place, right? Well, it didn't help. So I took a look at the Veeam Endpoint Backup and noticed a bunch of info about our backup server recorded in there and figured I might as well try creating the UseSqlNativeClientProvider key in there. Success! No more SSL error.

doktornotor
Influencer
Posts: 17
Liked: 6 times
Joined: Mar 07, 2018 12:57 pm
Contact:

Re: Veeam Support - Case # 03085255

Post by doktornotor » Dec 04, 2018 6:08 pm 2 people like this post

Adding OLE DB 18 download link here: https://www.microsoft.com/en-us/downloa ... x?id=56730
And the release announcement: https://blogs.msdn.microsoft.com/sqlrel ... ql-server/

The above is required for TLS 1.2 support. The legacy OLE DB drivers bundled with Windows do not (and will not) support TLS 1.2.

Post Reply

Who is online

Users browsing this forum: foggy, Ildar, ivica.vujovic and 70 guests