I'm at the last step before the CRM install starts, but I'm getting this error: [DBNETLIB][ConnectionOpen (SECDoClientHandshake().]SSL Security Error. I verified that the user has admin permissions to the database and that TLS 1.0 is enabled on both my front end server and database but neither has worked.
We figured out what our issue was. There was a group policy on the server that was disabling TLS 1.0 so we could never get it enabled. Once we fixed that the connection worked. Thanks for your assistance.
On our server "Force protocol encryption" is unchecked and the Enabled protocols by order box is empty. I've been using the Test.udl method to test the connection and I get the same error as the CRM installer.
These packets do not list the hello message or the list of cipher suites along with the protocols (TLS/SSL). Let's take a step back and check what is the configuration for SQL Server Client Network utility on both SQL and CRM boxes as ::
C:\Windows\SysWOW64\cliconfg.exe
For 32 bits systems, you may simply search for cliconfg.exe withing the Windows start menu.
What happens if you create a blank text file on CRM server and rename it as Test.udl and do the test connection using these options , does it connect successfully with SQL?
https://docs.microsoft.com/en-us/sql/connect/oledb/help-topics/data-link-pages?view=sql-server-ver15
Thanks,
Saurabh
I filtered by the IP address of the DB server and I get these packets which may be relevant.
1. Pre-login Message
2. Response from DB server
You may use these example filters ::
ip.addr ::
SSL ::
SSL/TLS in action with WireShark ::
https://www.youtube.com/watch?v=u4ht-E-Kihk
Can you give me some examples of filters I can use to capture this information using Wireshark or help me interpret the results? I tried "tcp port 1433" and then ran a connection test. I did get a result but I didn't see anything related to SSL or why it failed.
Hey Chris,
I don't think we would require to disable TLS 1.2 however, we can give it a try.
During the TLS/SSL handshake, basically the client reaches out to the sever with a hello kind of message including the available cipher suites & TLS/SSL versions, the server then chooses one of them (Most probably, the most secure channel available).
In case, thing still doesn't work out here, we should consider capturing network packet traces to understand what sort of disagreements we have with the SQL server here over the application layer.
Saurabh,
Does TLS 1.2 need to be temporarily disabled on client/server during install?
Hey Chris,
Thanks for reaching back.
There is another possibility that you have SchUseStrongCrypto enbled for .NET versions which forces apps to use strong cryptography.
HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\<VERSION>: SchUseStrongCrypto
HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\<VERSION>: SystemDefaultTlsVersions
Also, what if the client (CRM server is client in this case) is trying to do the communication with the server (SQL) on some other secure channel protocols and the server (SQL server) doesn't have those cipher suites enabled and the SSL/TLS handshake fails.
The only way to identify if that's the case would be through running a packet sniffer like WireShark or NetMon. Or, the simplest way to avoid that would be to enable the older secure channel protocols like SSL 3.0, SSL 2.0 on each of these participating servers.
This third party tool can be used to check such configurations in one shot.
I would also request you to check if the SQL server version being used over here can support these old protocols (They should, generally we see the otherwise scenario where newer protocols require some service packs).
If the above actions doesn't help, you may raise a support request with Microsoft so that this can be looked into from both SQL and CRM standpoint.
Thanks,
Saurabh
Saurabh,
I verified the following settings on my servers and the I'm still seeing the same error on the install. I have also restarted the servers. Can you think of any other settings to check? Thanks!
-Chris
SQL Native Client on CRM server:
DB Server config:
TLS Client setting on CRM/DB Server
TLS Server setting on CRM/DB server:
Cryptography setting on DB server:
Stay up to date on forum activity by subscribing. You can also customize your in-app and email Notification settings across all subscriptions.
André Arnaud de Cal... 290,435 Super User 2024 Season 2
Martin Dráb 228,317 Most Valuable Professional
nmaenpaa 101,148