Availability for the Always-On Enterprise
Post Reply
vsousa
Lurker
Posts: 2
Liked: never
Joined: Jul 10, 2018 7:20 pm
Full Name: Vincent Sousa
Contact:

SQL Server processing with TLS 1.2

Post by vsousa » Jul 10, 2018 7:39 pm

I was working with a Veeam support rep and when TLS 1.0 is disabled on server 2016 the following warning is generated on the veeam backup server.

Code: Select all

Failed to truncate Microsoft SQL Server transaction logs. Details: Failed to process 'TruncateSQLLog' command. Failed to truncate SQL server transaction logs for instances: . See guest helper log.
When I enable TLS 1.0 the backup completes successfully.
The veeam support rep advised to make the following changes in the registry which I did and the backup still throws the same warning.

Code: Select all

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\Enabled
I also tried setting up a UDL file test with TLS 1.0 enabled and it connects fine. When I enable TLS 1.2 and disable TLS 1.0 I get the following error:

Code: Select all

Test connection failed because of an error in initializing provider. SSL Security error.
The Veeam support rep basically said contact Microsoft. So, does Veeam backup work when TLS 1.0 is diabled?

PTide
Veeam Software
Posts: 4247
Liked: 350 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Veeam Support - Case # 03085255

Post by PTide » Jul 10, 2018 9:11 pm

Hi,

Please try adding UseSqlNativeClientProvider 1 DWORD on the processed VM in the HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\ registry leaf.

Thanks

Gostev
Veeam Software
Posts: 22810
Liked: 2802 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam Support - Case # 03085255

Post by Gostev » Jul 11, 2018 11:38 am

This is mostly about preparing the SQL Server itself for working with TLS 1.2.

If OLE DB on the SQL Server is fully patched and supports TLS 1.2, then it will just work. The easiest way to verify the compatibility is to perform "UDL test" (Google for this string).

Otherwise, if your installation is not compatible with TLS 1.2, than the workaround is to use another SQL client instead, as PTide already mentioned.

vsousa
Lurker
Posts: 2
Liked: never
Joined: Jul 10, 2018 7:20 pm
Full Name: Vincent Sousa
Contact:

Re: Veeam Support - Case # 03085255

Post by vsousa » Jul 11, 2018 3:02 pm

Thank you PTide. Adding that registry setting seemed to resolve the issue on that 1 server. Now I just have to make the change on the other servers.

VanillaMastermind
Enthusiast
Posts: 36
Liked: 6 times
Joined: Nov 23, 2015 4:47 pm
Full Name: VanillaMastermind
Contact:

[MERGED] How to enable backups of SQL Server over TLS 1.2

Post by VanillaMastermind » Aug 06, 2018 1:16 pm

We are trying to discontinue the use of TLS 1.0 and move to TLS 1.2 for tighter security. I have all SQL Servers patched to the newest levels. SQL backups work fine on TLS 1.0 machines, but machines that have TLS 1.0 disabled (thereby using TLS 1.2 instead), fail with the message

Code: Select all

Failed to backup SQL Server instance databases: Code = 0x80004005 Code meaning = Unspecified error Source = Microsoft OLE DB Provider for SQL Server Description = [DBNETLIB][ConnectionOpen (SECDoClientHandshake()).]SSL Security error. COM error: Code: 0x80004005
If I re-enable TLS 1.0 by making the following registry change, backups work okay.

Code: Select all

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\Enabled = 1
From the many forum posts I read, it seems that everyone is sticking with TLS 1.0, which is not the greatest idea. Does Veeam B&R not work properly with TLS 1.2? Do I just need to update SQL Server provider(s) on the Veeam B&R server? What is the proper way to do this? I want to do this safely without breaking communications to older machines still using TLS 1.0.

nmdange
Expert
Posts: 339
Liked: 82 times
Joined: Aug 20, 2015 9:30 pm
Contact:

Re: How to enable backups of SQL Server over TLS 1.2

Post by nmdange » Aug 06, 2018 5:43 pm

I haven't tested this, but check this KB article to make sure you are using a version of SQL Server and a version of the client software that supports TLS 1.2
https://support.microsoft.com/en-us/hel ... sql-server

VanillaMastermind
Enthusiast
Posts: 36
Liked: 6 times
Joined: Nov 23, 2015 4:47 pm
Full Name: VanillaMastermind
Contact:

Re: SQL Server processing with TLS 1.2

Post by VanillaMastermind » Aug 10, 2018 1:11 pm

I am reverting back to TLS 1.0 for now until Veeam support has clear directions on how to get TLS 1.2 working, if it's even possible.

Gostev
Veeam Software
Posts: 22810
Liked: 2802 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: SQL Server processing with TLS 1.2

Post by Gostev » Aug 10, 2018 3:52 pm

Did you read our posts above?

VanillaMastermind
Enthusiast
Posts: 36
Liked: 6 times
Joined: Nov 23, 2015 4:47 pm
Full Name: VanillaMastermind
Contact:

Re: SQL Server processing with TLS 1.2

Post by VanillaMastermind » Aug 14, 2018 5:22 pm 1 person likes this post

VanillaMastermind wrote:I am reverting back to TLS 1.0 for now until Veeam support has clear directions on how to get TLS 1.2 working, if it's even possible.
SOLVED

After making the following change in the registry on each processed VM running SQL Server with TLS 1.0 disabled, backups started working:

Add a new DWORD called "UseSqlNativeClientProvider" with a value of 1 to the node "HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\"

Post Reply

Who is online

Users browsing this forum: lconnor, nmdange and 90 guests