SQL Server SSL Certificate

Hi All,
I am slowly getting to the bottom of applying SSL throughout my project but am stuck in the current situation and I need help please..
Project is a Java servlet running on Windows. Java 1.6 and Tomcat 7 but connects to a SQL Server database and an Oracle database (running on unix). We have a keystore set up successfully on the servlets' server with root, intermediate certificates etc
that successfully encrypts the connection to Oracle. The server team maintaining the server hosting the SQL Server database have supplied me with an SSL certificate, I am told is for accessing the SQL Server database. I am assuming it is a public key certificate.
I am trying to apply this certificate to encrypt the network traffic to the SQL Server database. I have attempted to import the certificate into the keystore mentioned above using the Java keytool but this does not work so I deleted the certificate from
the keystore again. I found the URL below which I have followed to install the certificate through MMC but cannot find how to now force Tomcat to encrypt the network traffic.
http://support.microsoft.com/kb/316898
Can someone please tell me what I am missing here please? There is loads of guidance on setting up keystores with root and intermediate certificates etc, but I cannot find any guidance on what to do in Tomcat to use a single provided SSL certificate. Do
I use the Java cacerts file and import the certificate in there?
Thanks in advance
Regards
AJF

Hi SQL Team - MSFT
Thank you for your response.
I have been looking at this further. I have only been given one SSL certificate which I am assuming because it has a file format of ".cer" it is the public key for the certificate on the server hosting the SQL server database. For this to work
they way we want, the "clients" will not have SQL Server Configuration Manager installed, but instead will have the SSL certificate mention above stored in a Keystore set up with the "Keytool" in the Java JRE.
I am unsure how the guys who manage the server hosting the SQL server database have set up the SSL certificate, i.e. if they have set up a root and intermediate certificate etc. I am currently trying to get information out of them (They are not
located immdiately near my location). I have a funny feeling they have not set up the SSL at their end correctly, and I am wondering if they have just imported into the servers browser, the same public key certificate they forwarded to me. When
you say "you have to first export the Trusted Root Certificate Authority from the server and import this to the client", what part of the SSL certificate(s) do you mean?
Do you mean the Certificate Authority root certificate and I have to import that into the client as well as the public key certificate?
I look forward to you next feedback.
Regards
Alanjo

Similar Messages

Use custom not ConfigMgr SQL Server Identification Certificate

Hello,
I noticed that during the database creation steps in System Center 2012 Configuration Manager, the SQL server's instance gets assigned a SSL Certificate called ConfigMgr SQL Server Identification Certificate. I currently have one that
I have assigned by our own PKI solution as I am pointing this to our SQL cluster.
Is there anyway to use my PKI issued certificate over the self-signed one that gets deployed by System Center during the installation process? When I use my own PKI issued certificate, System Center is unable to connect saying there is an issue with
the certificate (which I know is untrue as other applications can communicate to the cluster fine with my PKI issued certificate).
Thanks in advance!

Hi,
This technet article might be of more help.
PKI Certificate Requirements for Configuration Manager
http://technet.microsoft.com/en-us/library/gg699362.aspx
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

SQL Server 2012 certificate error?

Here is what my event log looks like:
Log Name is Application
Source: MSSQL$SQLSERVER2012
Date: 6/26/2014 12:29:55 PM
Task Category: Server
Level: Error
Keywords: Classic
User: N/A
Computer: Suzie-PC
Event ID: 17120
Description:
SQL Server could not spawn FRunCommunicationsManager thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSSQL$SQLSERVER2012" />
<EventID Qualifiers="49152">17120</EventID>
<Level>2</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-06-26T19:29:55.000000000Z" />
<EventRecordID>401427</EventRecordID>
<Channel>Application</Channel>
<Computer>Suzie-PC</Computer>
<Security />
</System>
<EventData>
<Data>FRunCommunicationsManager</Data>
<Binary>E04200001000000017000000530055005A00490045002D00500043005C00530051004C005300450052005600450052003200300031003200000000000000</Binary>
</EventData>
</Event>
Event ID: 17826
Description:
Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSSQL$SQLSERVER2012" />
<EventID Qualifiers="49152">17826</EventID>
<Level>2</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-06-26T19:29:55.000000000Z" />
<EventRecordID>401426</EventRecordID>
<Channel>Application</Channel>
<Computer>Suzie-PC</Computer>
<Security />
</System>
<EventData>
<Binary>A24500001200000017000000530055005A00490045002D00500043005C00530051004C005300450052005600450052003200300031003200000000000000</Binary>
</EventData>
</Event>
Event ID: 17182
Description:
TDSSNIClient initialization failed with error 0x80092004, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors. Cannot find object or property.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSSQL$SQLSERVER2012" />
<EventID Qualifiers="49152">17182</EventID>
<Level>2</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-06-26T19:29:55.000000000Z" />
<EventRecordID>401425</EventRecordID>
<Channel>Application</Channel>
<Computer>Suzie-PC</Computer>
<Security />
</System>
<EventData>
<Data>80092004</Data>
<Data>1</Data>
<Data>Initialization failed with an infrastructure error. Check for previous errors.</Data>
<Data>Cannot find object or property. </Data>
<Binary>1E4300001000000017000000530055005A00490045002D00500043005C00530051004C005300450052005600450052003200300031003200000000000000</Binary>
</EventData>
</Event>
Event ID: 17182
Description:
TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support. Cannot find object or property.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSSQL$SQLSERVER2012" />
<EventID Qualifiers="49152">17182</EventID>
<Level>2</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-06-26T19:29:55.000000000Z" />
<EventRecordID>401424</EventRecordID>
<Channel>Application</Channel>
<Computer>Suzie-PC</Computer>
<Security />
</System>
<EventData>
<Data>80092004</Data>
<Data>80</Data>
<Data>Unable to initialize SSL support.</Data>
<Data>Cannot find object or property. </Data>
<Binary>1E4300001000000017000000530055005A00490045002D00500043005C00530051004C005300450052005600450052003200300031003200000000000000</Binary>
</EventData>
</Event>
Also, I ran certutil -store My and it failed.
C:\Users\Suzie>certutil -store My
My
================ Certificate 0 ================
Serial Number: 65143821fd0109864b5666cf04876d65
Issuer: CN=localhost
NotBefore: 10/3/2013 8:17 PM
NotAfter: 10/2/2018 5:00 PM
Subject: CN=localhost
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): 50 2f 7e c1 52 7d 56 e1 2d 5a 2a 44 fb 4a d1 29 0d 01 ec dd
Key Container = IIS Express Development Certificate Container
Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test FAILED
CertUtil: -store command completed successfully.
What should I do to fix this?

Hi,
Please check below support links
http://support.microsoft.com/kb/928779
If that does not helps please see solution and workaround section in below link
http://blogs.msdn.com/b/sqljourney/archive/2012/10/09/sql-2008-service-fails-to-come-online-with-a-valid-certificate-could-not-be-found-and-it-is-not-possible-to-create-a-self-signed-certificate.aspx
Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it.
My TechNet Wiki Articles

Office Web Apps Server SSL Certificate

Hi
I am deploying Office Web App Server for Integration with Lync 2013. I opted for secure communication with SSL Certificate. I want this server available to internal and external users.
I am little confused over CA for Issuance of SSL Certificate. On most of the forums, I found SSL Certificate to be issued by Internal CA. If so, will this also work for external users?
If not, then plz guide me for Generating Certificate Request on Office Web App Server to be submitted to External CA for Issuance of Certificate.
Regards.

Hi,
Thanks for your posting in this forum.
I have moved this thread in Lync Server 2013-Management, Planning, and Deployment forum for more dedicated support.
Thanks for your understanding.
Best Regards,
Wendy
Wendy Li
TechNet Community Support

Can't access Exchange ActiveSync server - SSL certificates not being used

When I try to set up my email via Exchange ActiveSync to a corporate server, I am unable to connect. I am using the same exact settings as on an iPhone, where I am able to successfully connect.
Reading the console log in the iPhone configuration utility, the problem appears to be that the iPad is not using the corporate certificates I have installed to enable SSL access to the Exchange server. These certificates are installed in the exact same way they are on my iPhone, where they work correctly.
Has anyone else had a similar problem accessing Exchange mail using SSL certificates? Any ideas on how to fix this? Or is this a bug in the iPad software?

IM having the same problem. iPhone works fine on exchange atvwork but iPad with same settings says cannot connect to exchange server. Have you figured anything out yet?
Tom

Snow Leopard Server - SSL Certificate Issue

Hi. I am hoping someone can shine some light into an issue I am currently experiencing with SSL Certificates on the Snow Leopard Server which hosts out websites. This past weekend an SSL certificate pertaining to our primary domain expired which caused users to receive error messages prior to accessing the website ... the error message stated "the site's security certificate has expired!"
I have since renewed the certificate via networksolutions.com and applied it on the Mac server. The certificate was applied successfully and i have added the certificate the sites along with restarting the apache to take in the settings. However, the certificate is not propagating out at all. I have also restarted the mac server as well in case there was something in the cache causing issues but unfortunately, the issue still exists.
I have also removed the certificate entirely and reapplied it from scartch to make sure the original certificate wasn't causing any issues.
Has anyone else incurred a similar issue or would anyone have any insight on how to possibly resolve the issue?
Thank you!

Just a quick update. the DNS seems fine but I am getting errors in the logs as follows.
May 12 09:37:34 server jabberd/sm[2084]: version: jabberd sm 2.1.24.1-326.5
May 12 09:37:34 server org.jabber.jabberd[2082]: ERROR: router died. Shutting down server.
May 12 09:37:34 server com.apple.launchd[1] (org.jabber.jabberd): Throttling respawn: Will start in 10 seconds
May 12 09:37:34 server jabberd/sm[2084]: attempting connection to router at 127.0.0.1, port=5347
May 12 09:37:34 server jabberd/sm[2084]: shutting down
May 12 09:38:45 server jabberd/sm[2167]: version: jabberd sm 2.1.24.1-326.5
May 12 09:38:45 server jabberd/sm[2167]: attempting connection to router at 127.0.0.1, port=5347
May 12 09:38:45 server jabberd/sm[2167]: shutting down
May 12 09:38:45 server org.jabber.jabberd[2165]: ERROR: router died. Shutting down server.
May 12 09:38:45 server com.apple.launchd[1] (org.jabber.jabberd): Throttling respawn: Will start in 10 seconds
I checked the the crash report which has the follow kernal issue.
Exception Type: EXCBADACCESS (SIGBUS)
Exception Codes: KERNPROTECTIONFAILURE at 0x000000010011adb0
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Any ideas?

Accidentally deleted SQL Cert "ConfigMgr SQL Server Identification Certificate"

Hi,
a customer accidentally deleted the SQL Cert which is created automatically during the SCCM setup and now SCCM is not working.
Infrastructure:
SCCM 2012, CU1
SQL 2008 R2 SP1, CU7
Both Components are on the same box.
Is the certificate stored somewhere locally or what steps are necessary, that SCCM is working fine again.
Thanks in advance!
Regards,
Tom

I had the same problem (tried to copy the certificate from the server to my workstation to edit the reports, ended up moving it, loosing the private key in the process)
I was able to restore the private key using this article http://www.entrust.net/knowledge-base/technote.cfm?tn=7905
and the tool certutil –repairstore my <serial number>
just in case it happens to someone else.

Mail refuses to accept server SSL certificate

Hello,
yesterday I updated to 10.4.11 and everything works fine except one thing.
I've got 3 IMAP Accounts set up in Mail, all using SSL. While 2 of them still work one suddenly started to complain that the certificate is invalid.
It says:
The server error encountered was: Mail was unable to verify the identity of this server, which has a certificate issued to "mail2.hitzemann.org". The error was:
The certficate for the server is invalid.
You might be connecting to a computer that is pretending to be "mail2.hitzemann.org", and putting your confidential information at risk. Would you like to continue anyway?
If I click on "Show Certificate" Mail proudly tells me that the certificate is valid. Nevertheless I double checked the hostname, the expiration date, etc. I even generated a new class 1 certificate as the current one was a class 3 cert. But I didn't have any luck with this either. I also checked that my CA's root certificates are known to keychain in the X509Anchors.
If I boot my 10.4.10 backup everything's working like a charm again. So how to tell Mail not to complain about a certificate that's valid?

I'm having a similar problem. Only I've never had a digital signature. I got a Thawte certificate, followed all their instructions but Apple Mail doesn't recognize it. I've tried every forum solution for the last two days, without any luck.
Currently the certificate is in the System part of the Keychain. And it's showing up in both the Certificates and My Certificates sections. I've also tried variations of this setup. Nothing seems to get Mail to recognize the thing.

OS X server SSL Certificate Edit button missing

Hello,
Just purchased a mac mini server with Mountain Lion server preinstalled. The initial setup with the wizard went smooth and have open directory setup and look good. When I went to connect to it with my macbook it gave me a SSL missing warning. Searches on the internet point to a SSL edit button under settings. For some reason it does not show up when I go to that location. Searched through the entire interface but i'm unable to find it. Can someone show me where I went wrong?
Thank you in advance

Hi All,
Aparently the answer lies within apache and a troublesome httpd.conf file, try this to get your button back.
Quit server.app
Go to Terminal:
cd /etc/apache2
sudo mv httpd.conf.default httpd.conf
sudo apachectl graceful
Start server.app
Presto!
Goodluck
Jeffrey

Setup SSL for SQL Server 2014

I'm trying to get SSL setup for SQL Server. I'm assuming version doesn't matter. It's all about the same but I'm using 2014.
I have an Enterprise CA so I've setup certs through it. I've tried using several templates but none seem to work. I thought it might be needing to use a SAN cert but that doesn't seem to work either.
I create the cert, add it to the computer account.
Go to the properties of "Protocols for MSSQLSERVER" and change the settings on the cert tab to my cert.
Attempting to restart SQL Server fails. Once I clear the setting the service will start.
What am I missing?
David Jenkins

Hello,
Please read the following resources:
http://support.microsoft.com/kb/316898/en-us
http://thesqldude.com/2012/04/21/setting-up-ssl-encryption-for-sql-server-using-certificates-issues-tips-tricks/
Hope this helps.
Regards,
Alberto Morillo
SQLCoffee.com

Unable to connect to sql server 2008 r2 after upgrading from framework 4.0 to 4.5.2 in windows 7 environment

Hi All,
BackGround
I used to connect to database with Encrypt set true in sql connection which helps established encrypted data base connection . I verified that created certificate in order
to provide Encrypted connection to database for client is valid.
Issue :Issue
is un-able to connect to sql sever2008 r2 from vs2013 by enforcing encryption to true.
while trying to test the connection from vs2013 error log getting recorded as well as error notification is getting populated as below .
Step1 :
from Vs2013 trying to connect to sql server 2008 r2
step 2: on Click test Connection . getting below mentioned error notification
Event Viewer Log:<o:p></o:p>
<o:p></o:p>
(Process Id: 7472)
<o:p></o:p>
.Net SqlClient Data Provider:<o:p></o:p>
A connection was successfully established with the server, but then an error
occurred during the login process. (provider: SSL Provider, error: 0 - The
target principal name is incorrect.)<o:p></o:p>
   at
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception,
Boolean breakConnection, Action`1 wrapCloseInAction)<o:p></o:p>
   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject
stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)<o:p></o:p>
   at
System.Data.SqlClient.TdsParserStateObject.SNIWritePacket(SNIHandle handle,
SNIPacket packet, UInt32& sniError, Boolean canAccumulate, Boolean
callerHasConnectionLock)<o:p></o:p>
   at System.Data.SqlClient.TdsParserStateObject.WriteSni(Boolean
canAccumulate)<o:p></o:p>
   at System.Data.SqlClient.TdsParserStateObject.WritePacket(Byte
flushMode, Boolean canAccumulate)<o:p></o:p>
   at System.Data.SqlClient.TdsParser.TdsLogin(SqlLogin rec,
FeatureExtension requestedFeatures, SessionData recoverySessionData)<o:p></o:p>
   at
System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo
serverInfo, String newPassword, SecureString newSecurePassword, Boolean
ignoreSniOpenTimeout, TimeoutTimer timeout, Boolean withFailover)<o:p></o:p>
   at
System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(ServerInfo
serverInfo, String newPassword, SecureString newSecurePassword, Boolean
redirectedUserInstance, SqlConnectionString connectionOptions, SqlCredential
credential, TimeoutTimer timeout)<o:p></o:p>
   at
System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(TimeoutTimer
timeout, SqlConnectionString connectionOptions, SqlCredential credential,
String newPassword, SecureString newSecurePassword, Boolean
redirectedUserInstance)<o:p></o:p>
   at
System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity
identity, SqlConnectionString connectionOptions, SqlCredential credential,
Object providerInfo, String newPassword, SecureString newSecurePassword,
Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions,
SessionData reconnectSessionData)<o:p></o:p>
   at
System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions
options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo,
DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions
userOptions)<o:p></o:p>
   at
System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool
pool, DbConnection owningObject, DbConnectionOptions options,
DbConnectionPoolKey poolKey, DbConnectionOptions userOptions)<o:p></o:p>
   at
System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection
owningObject, DbConnectionOptions userOptions, DbConnectionInternal
oldConnection)<o:p></o:p>
   at System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection
owningObject, DbConnectionOptions userOptions, DbConnectionInternal
oldConnection)<o:p></o:p>
   at
System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection
owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate,
Boolean onlyOneCheckConnection, DbConnectionOptions userOptions,
DbConnectionInternal& connection)<o:p></o:p>
   at
System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection
owningObject, TaskCompletionSource`1 retry, DbConnectionOptions userOptions,
DbConnectionInternal& connection)<o:p></o:p>
   at
System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection
owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions
userOptions, DbConnectionInternal oldConnection, DbConnectionInternal&
connection)<o:p></o:p>
   at
System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection
outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1
retry, DbConnectionOptions userOptions)<o:p></o:p>
   at
System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource`1 retry)<o:p></o:p>
   at
System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry)<o:p></o:p>
   at System.Data.SqlClient.SqlConnection.Open()<o:p></o:p>
Inner Exception:<o:p></o:p>
:<o:p></o:p>
The target principal name is incorrect

The target principal name is incorrect
Hi Rahul.U,
Are you able to connect to SQL Server successfully from SQL Server Management Studio (SSMS) when enforcing encryption?
According to above error message, it could be caused by the inappropriate server name or incorrect TrustServerCertificate configuration in the connection string from Visual Studio. There are some proposals for you troubleshooting this error.
1. Make sure that you connect to the SQL server using the fully qualified domain name (FQDN).
2. When connecting to a SQL Server instance with a valid certificate, please add the
TrustServerCertificate
parameter and set it to true in the connection string. For more details, please review this
article.
However, if you can successfully connect to SQL Server via SSMS, but still fail to connect to SQL Server from Visual Studio, I would like to recommend you post the question in the .Net Framework forum at
https://social.msdn.microsoft.com/Forums/vstudio/en-US/home?category=netdevelopment . It is appropriate and more experts will assist you.
There are similar articles about error “The target principal name is incorrect” for your reference.
http://serverfault.com/questions/458935/aws-rds-sql-server-ssl-connection-the-target-principal-name-is-incorrect
http://www.derekseaman.com/2013/09/sql-2012-failover-cluster-pt-12-kerberos-n.html
Thanks,
Lydia Zhang
Lydia Zhang
TechNet Community Support

Portable class library - SSL certificate ignore support.

Hi,
We are developing mobile based project targeting to windows and ios platform.
1. Project has portable class library that is been shared among all this platforms.
2. We have asp.net web api services for data provider hosted on server with http and https (ssL) enabled.
3. We are successfully able to call web api methods using System.Net.HttpClient in portable class library and data is provided by the utility helper methods to all platforms.
4. Now based on the specific requirement we have to utilized https enabled service and we have to switch to ssl enabled call.
5. Based on my research over internet "ServicePointManager.ServerCertificateValidationCallback" is one we can use in .net native framework libraries but not available for portable libraries.
If anyone can help in this area that how can we make https call from portable class library.
Thanks in Advance,
Brajesh patel

Hello Brajesh,
As far as I know, in these currently released PCL, there seems to be no way to use the SSL certificate for http request.
My suggestion is that you could invite your friends or colleagues to vote this idea in below link(someone else already psot this request to the team):
http://visualstudio.uservoice.com/forums/121579-visual-studio/suggestions/4784983-support-server-ssl-certificate-chain-inspection-in
With the increase of the the voice number, this priority of this idea would be improved.
Regards.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

Hybrid Connection fails for Windows SQL Server 2014 - SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted

Hello,
I have configured BizTalk Services Hybrid Connection between Standard Azure Website and SQL Server 2014 on premise.
Azure Management portal shows the status of Hybrid Connection as established.
However, the website throws an error when trying to open a connection
<
addname="DefaultConnection"
connectionString="Data
Source=machine name;initial catalog=AdventureWorks2012;Uid=demouser;Password=[my password];MultipleActiveResultSets=True"
providerName="System.Data.SqlClient"
/>
(The same website, with the same connection string deployed on SQL Server machine works correctly).
I tried various options with the connections sting (IP address instead of machine name, Trusted_Connection=False, Encrypt=False, etc. the result is the same
[Win32Exception (0x80004005): The certificate chain was issued by an authority that is not trusted]
[SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.
I tried various machines - on premise and a clean Azure VM with SQL Server and it results in the same error - below full stack
The certificate chain was issued by an authority that is not trusted
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.ComponentModel.Win32Exception: The certificate chain was issued by an authority that is not trusted
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[Win32Exception (0x80004005): The certificate chain was issued by an authority that is not trusted]
[SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)]
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) +5341687
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) +546
System.Data.SqlClient.TdsParserStateObject.SNIWritePacket(SNIHandle handle, SNIPacket packet, UInt32& sniError, Boolean canAccumulate, Boolean callerHasConnectionLock) +5348371
System.Data.SqlClient.TdsParserStateObject.WriteSni(Boolean canAccumulate) +91
System.Data.SqlClient.TdsParserStateObject.WritePacket(Byte flushMode, Boolean canAccumulate) +331
System.Data.SqlClient.TdsParser.TdsLogin(SqlLogin rec, FeatureExtension requestedFeatures, SessionData recoverySessionData) +2109
System.Data.SqlClient.SqlInternalConnectionTds.Login(ServerInfo server, TimeoutTimer timeout, String newPassword, SecureString newSecurePassword) +347
System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean ignoreSniOpenTimeout, TimeoutTimer timeout, Boolean withFailover) +238
System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString connectionOptions, SqlCredential credential, TimeoutTimer timeout) +892
System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(TimeoutTimer timeout, SqlConnectionString connectionOptions, SqlCredential credential, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance) +311
System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData) +646
System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions) +278
System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool pool, DbConnection owningObject, DbConnectionOptions options, DbConnectionPoolKey poolKey, DbConnectionOptions userOptions) +38
System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) +732
System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) +85
System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection) +1057
System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection) +78
System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection) +196
System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions) +146
System.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions) +16
System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource`1 retry) +94
System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry) +110
System.Data.SqlClient.SqlConnection.Open() +96
System.Data.EntityClient.EntityConnection.OpenStoreConnectionIf(Boolean openCondition, DbConnection storeConnectionToOpen, DbConnection originalConnection, String exceptionCode, String attemptedOperation, Boolean& closeStoreConnectionOnFailure) +44
[EntityException: The underlying provider failed on Open.]
System.Data.EntityClient.EntityConnection.OpenStoreConnectionIf(Boolean openCondition, DbConnection storeConnectionToOpen, DbConnection originalConnection, String exceptionCode, String attemptedOperation, Boolean& closeStoreConnectionOnFailure) +203
System.Data.EntityClient.EntityConnection.Open() +104
System.Data.Objects.ObjectContext.EnsureConnection() +75
System.Data.Objects.ObjectQuery`1.GetResults(Nullable`1 forMergeOption) +41
System.Data.Objects.ObjectQuery`1.System.Collections.Generic.IEnumerable<T>.GetEnumerator() +36
System.Collections.Generic.List`1..ctor(IEnumerable`1 collection) +369
System.Linq.Enumerable.ToList(IEnumerable`1 source) +58
CloudShop.Services.ProductsRepository.GetProducts() +216
CloudShop.Controllers.HomeController.Search(String SearchCriteria) +81
CloudShop.Controllers.HomeController.Index() +1130
lambda_method(Closure , ControllerBase , Object[] ) +62
System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +14
System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +193
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +27
System.Web.Mvc.Async.<>c__DisplayClass42.<BeginInvokeSynchronousActionMethod>b__41() +28
System.Web.Mvc.Async.<>c__DisplayClass8`1.<BeginSynchronous>b__7(IAsyncResult _) +10
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +50
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +32
System.Web.Mvc.Async.<>c__DisplayClass39.<BeginInvokeActionMethodWithFilters>b__33() +58
System.Web.Mvc.Async.<>c__DisplayClass4f.<InvokeActionMethodFilterAsynchronously>b__49() +225
System.Web.Mvc.Async.<>c__DisplayClass37.<BeginInvokeActionMethodWithFilters>b__36(IAsyncResult asyncResult) +10
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +50
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +34
System.Web.Mvc.Async.<>c__DisplayClass2a.<BeginInvokeAction>b__20() +23
System.Web.Mvc.Async.<>c__DisplayClass25.<BeginInvokeAction>b__22(IAsyncResult asyncResult) +99
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +50
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +27
System.Web.Mvc.<>c__DisplayClass1d.<BeginExecuteCore>b__18(IAsyncResult asyncResult) +14
System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +55
System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +39
System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +55
System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +29
System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10
System.Web.Mvc.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult) +25
System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +55
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +31
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9651188
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.36213
Regards,
Michal
Michal Morciniec

Same issue here, looking for more information !

URL problems with SQL Server Reporting Services 2012 with wildcard SSL certificate

Hi,
I have single server, domain member, with SQL Server 2012 SP1 Reporting Services.
I am trying to get work with url: https://reports.mydomain.com
I have valid wildcard certificate (*.mydomain.com) implemented and configured URLs in Configuration Manager.
https://reports.mydomain.com/ReportServer - works fine
https://reports.3pro.hr/Reports/ - I got error:
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
In rsreportserver.config I have:
<Add Key="SecureConnectionLevel" Value="2"/>
When looking my ReportServerService_date.log file I have something like:
configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using report server internal url https://localhost:443/ReportServer.
configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using report server external url https://serverhostname:443/ReportServer.
configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using url root https://reports.mydomain.com/ReportServer.
configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using report server internal url https://localhost:443/ReportServer.
configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using report server external url https://serverhostname:443/ReportServer.
configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using url root https://reports.mydomain.com/ReportServer.
Also, error shown in log file:
appdomainmanager!ReportManager_0-2!4c50!03/10/2013-20:24:53:: e ERROR: Remote certificate error RemoteCertificateNameMismatch encountered for url https://localhost/ReportServer/ReportService2010.asmx.
ui!ReportManager_0-2!4c50!03/10/2013-20:24:54:: e ERROR: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException:
The remote certificate is invalid according to the validation procedure.
Btw, is there a way to delete/disable access using https://localhost and/or servername (not FQDN) since SSL will not work in this way for me, and I want access only by full url - https://reports.mydomain.com , not localhost ..
-- Hrvoje Kusulja

I spent one of my 4 free support incidents with Microsoft (part of MSDN subscription) this year to get this investigated. The tech support person helped me through several issues but had to leave to attend some training, and I got past the last hurdle
before she called me back. Here are the steps that resolved this issue for me. I know for sure that step 5 was necessary. Step 1 may not apply to you, and steps 2-4 may or may not have been necessary (they didn't immediately fix the issue,
but I didn't roll them back either so they may have been necessary.)
Step 1:
Ensure you are editing the correct rsreportserver.config file. I had been making changes to a file that was installed in C:\Program Files\Common Files\microsoft shared\Web Server Extensions\14\WebServices\Reporting, but that was a rsreportserver.config
file for some sharepoint integration that I'm not using. The correct path on my system was E:\MSRS11.MSSQLSERVER\Reporting Services\ReportServer\rsreportserver.config, but yours may vary. If you can't figure it out, look in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft
SQL Server\MSRS11.MSSQLSERVER\Setup in the key named SQLPath, and then go to the ReportServer subdirectory of that path.
Step 2:
In rsreportserver.config, ensure that SecureConnectionLevel is set to the value 3. Was set to 0 in my configuration. Corrected line in your rsreportserver.confiog file should look like:
<Add Key="SecureConnectionLevel" Value="3"/>
Step 3:
In rsreportserver.config, add the correct value to the <URLRoot> element (which already exists in the file.) In my configuration, this value was blank. The value should be the fully qualified path to your report server, with a hostname that
is valid for your certificate. For example, if my cert matches *.mydomain.local:
<UrlRoot>
https://myserver.mydomain.local/ReportServer
</UrlRoot>
Step 4:
Ensure that your certificate exists in Trusted Root Certification Authorities in certmgr for the local machine. I had the certificate installed as a Personal certificate for the local machine, which I still think was correct (the certificate wasn't actually
the problem and worked correctly for Report Server, and the failure was caused by SSRS incorrectly making a https request to a localhost URL), but she had me remove the certificate from Personal and add it to Trusted Root Certificate Authorities. That
broke things and the cert was no longer listed as a cert I could bind to, so we then copied it so it existed in both Personal and Trusted Root Certificate Authorities. This is how I left it, not sure if that was necessary.
Step 5:
This was the fix that finally got things to work. In rsreportserver.config, add the same value to the <ReportServerUrl> element (which also already exists in the file) that you added in step 3. In my configuration, this value was also blank.
The corrected value should be the same as in step 3, for example:
<ReportServerUrl>
https://myserver.mydomain.local/ReportServer
</ReportServerUrl>
Then restart your report server (stop & then start in Report Server Configuration Manager), and the problem should go away. At least it did for me.
Good luck!

Unable to set (ssl) certificate on a SQL Server 2012 clustered instance

Hello everyone!
I'm trying to encrypt the SQL Server communication with SSL but I can't add the certificate in the configuration manager. I've found and tried a lot of different explaination but none of them worked. I'll described what I've done and hope someone will point
out what I'm missing.
Here is my situation:
- SQL Server 2012 Enterprise Edition. Instance name = INSTANCE, FQDN = SQINSTANCE.mydomain.com. The instance is running under a customized service account: mydomain\sql_sa
- Two cluster nodes running Win Server 2008R2: NODE1.mydomain.com and NODE2.mydomain.com. Cluster itself is CLUSTER.mydomain.com
What I've done:
1) Asked the team in charge to generate a certificate issued to "SQINSTANCE.mydomain.com" with aliases to "NODE1.mydomain.com", "NODE2.mydomain.com" and "CLUSTER.mydomain.com". I get a certificate with "p7b"
as extension
2) Connect on "NODE2.mydomain.com" with account "mydomain\sql_sa". Opened MMC and added the certificate under "Personnal" folder. I tried to add it with "Current user" and "Local computer" settings. Saw both
on internet since I use a specific service account
3) Get the thumbprint of the certificate and add it under HKLM\Software\Microsoft\Microsoft SQL Server\MSSQL11.INSTANCE\MSSQLServer\SuperSocketNetLib\Certificate. (I triple checked to remove blanks or special characters)
4) Reboot the node
5) Open the SQL Server Configuration Manager, go to the network properties. Certificate does not appear in the list
I tried to check with certutil and saw the certificate in the output. Some guys talked about some private key but I don't see this particularity in my situation. I tried to check if the certificate is valid and, according to the criterias, it is.
Does anyone can help me with this?

Hi,
Are you sure you've got the certificate correct? http://msdn.microsoft.com/en-us/library/ms191192.aspx
To use encryption with a failover cluster, you must install the server certificate with the fully qualified DNS name of the virtual server
on all nodes in the failover cluster. For example, if you have a two-node cluster, with nodes named test1.<your
company>.com and test2.<your
company>.com, and you have a virtual server named virtsql, you need to install a certificate for virtsql.<your
company>.com on both nodes. You can set the value of the ForceEncryptionoption
toYes
In your case, shouldn't it be created for CLUSTER.mydomain.com?
Thanks, Andrew
My blog...

SQL Server SSL Certificate

Similar Messages

Maybe you are looking for