SQL Server connection refused when running only TLS1.2

Question

SQL Server connection refused when running only TLS1.2

Simon Chapman 1

Hi,

We have the following setup

SQL Server 2016 running only TLS1.2
Application Servers running Windows Server 2012 and 2016 and only TLS1.2
Workstations running Windows 10 and only TLS1.2

We then have an application that attempts to connect to the SQL server.
When running the application on the workstations we have no issues, when running the application on the server the connection to the SQL server is not made successfully.

I have tried running wireshark on the application server and can see that it attempts to connect to the SQL server, although I never see a handshake being initiated, I can see that the SQL server name, instance and port are returned and the version number, but this is wrong as is just returning the version as 13.2.5026.0 which is SP2 but we have some CU's installed on top of SP2.

I tried also removing the DL ciphers to eliminate the leading zero issue no change.

I activated SCHANNEL logging but that still doesn't log anything

I have no further logging so don't know what else to check.

Re-enabling TLS1.0 fixes the issue, but this isn't a possible solution

Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator

2021-04-29T21:34:03.82+00:00

So what error message do you get?

Have you run Wireshark on the successful connections from the workstations? Do you get the same incorrect version number in that case?
CarrinWu-MSFT 6,891 Reputation points

2021-04-30T05:43:23.507+00:00

Hi @Simon Chapman , could you please provide the error message for this issue?
Simon Chapman 1 Reputation point

2021-04-30T08:58:48.48+00:00

Just tried and yes it returns the incorrect version, so probably nothing to worry about
Simon Chapman 1 Reputation point

2021-04-30T09:00:46.597+00:00

A fatal error occurred while creating a TLS client credential. The internal error state is 10013.

I found an article about some registry keys and enabled these, but still get the same error

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator

2021-04-30T20:47:35.037+00:00

NET HELPMSG 10013 tells me:

An attempt was made to access a socket in a way forbidden by its access permissions.

I can't say that I understand what this means, but I dropped it here in case it gives you some idea.

2 answers

Your answer

Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator

2021-04-29T21:34:03.82+00:00

So what error message do you get?

Have you run Wireshark on the successful connections from the workstations? Do you get the same incorrect version number in that case?
CarrinWu-MSFT 6,891 Reputation points

2021-04-30T05:43:23.507+00:00

Hi @Simon Chapman , could you please provide the error message for this issue?
Simon Chapman 1 Reputation point

2021-04-30T08:58:48.48+00:00

Just tried and yes it returns the incorrect version, so probably nothing to worry about
Simon Chapman 1 Reputation point

2021-04-30T09:00:46.597+00:00

A fatal error occurred while creating a TLS client credential. The internal error state is 10013.

I found an article about some registry keys and enabled these, but still get the same error

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator

2021-04-30T20:47:35.037+00:00

NET HELPMSG 10013 tells me:

An attempt was made to access a socket in a way forbidden by its access permissions.

I can't say that I understand what this means, but I dropped it here in case it gives you some idea.

Answer 1

Hi @Simon Chapman ,

After made some research, I found a blog might be help you:

Correct the permissions on the c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder:

1.Everyone Access: Special Applies to: This folder only
2.Network Service Access: Read & Execute Applies to: This folder, subfolders and files
3.Administrators Access: Full Control Applies to: This folder, subfolder and files
4.System Access: Full control Applies to: This folder, subfolder and Files
5.IUSR Access: Full Control Applies to: This folder, subfolder and files

Best regards,
Carrin

If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Simon Chapman 1

Hi,

Thanks for the suggestion, but it didn't work.

Still the same error.

CarrinWu-MSFT 6,891 Reputation points

2021-05-05T01:37:57.363+00:00

Hi @Simon Chapman , here has a check list about disabling TLS 1.1 /TLS 1.0 and change to TLS 1.2, maybe you could check that in case you have miss anything.

Share via

SQL Server connection refused when running only TLS1.2

2 answers

Your answer