Today will discussed about something you have received brand new server or existing server due to any changes like security update or New Build server. You have received new site and want to deploy SCCM Secondary site. You have done all the Pre request validation as Microsoft recommended. Still if you want to refer pre request please visit my previous article Click Here.
Issue is while deploying SCCM Secondary site getting error [ODBC SQL SERVER Driver] [DBMSLPCN] SSL security error. SECDoClientHandshake() SSL Security error connecting SQL Server
Now we do have problem. What can be done to resolve? Interesting let talk about that.
If you look configmgrsetup.log
You will see Error [DBMSLPCN][ConnectionOpen (SECDoClientHandshake()).]SSL Security error.
How to verify connection.?
This connectivity failure reproduces when a test connection is created for the given SQL Server through a UDL file.
1. Open Notepad
2. Save the file as 'Connectivity SQL Test.udl' and file type as 'All Files'
3. Open the saved file
4. Select Microsoft OLE DB Provider for SQL Server as the provider
5. Provide server connection and authentication details
6. Test the connection or open list of databases
7. The connection fails with same error message
This fails because the secured connection between the Secondary site and the SQL Server needs TLS 1.0 to be enabled for the OLE DB Provider for SQL Server. And the SQL Server may not have TLS 1.0 enabled for secure channel communication.
The connectivity may fail even if TLS 1.1 or 1.2 is enabled on the SQL Server as the OLE DB Provider for SQL Server supports only TLS 1.0. Support for TLS 1.2 is provided for the providers listed in this article.
To resolve we have to follow below steps.
Enable TLS 1.0 for Microsoft OLE DB Provider for SQL Server on SQL Server. TLS 1.0 can be enabled with the following registry changes:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000000
After doing this re-initiate installation secondary site installation went smooth as normal.
If the organization policy requires TLS 1.0 to be disabled, this can be done after the installation completes:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000001
As Vendor recommendation: TLS 1.0 may also need to be enabled on destination server as client. Click here for reference:
Hope you like. Many more solution in single place. Keep watching hiraniconfigmgr.com with multiple SME Contribution.
Many Problem, One Place solutions.
Thanks & Regards
Email: email@example.com, firstname.lastname@example.org
Follow me: https://www.linkedin.com/in/hiraniconfigmgr