TLS 1.2 registry keys (4294565)

How to make sure that connection with SQL will use TLS 1.2 and not any of the currently unsecured methods

In some circumstances, the following error message will be displayed in the AutObjects.log

Failed to initialize reporter: [DBNETLIB][ConnectionOpen (SECDoClientHandshake()).]SSL Security error.

Enhancement Request: RMADFE-2001

Due to SSL 2, 3 and TLS 1.0 and 1.1 being insecure, RMAD 9.0+ do support TLS 1.2 communication only

However, the proper SQL OLEDB Provider needs to be set otherwise, the connection will fail with the error message mentioned above

This is in part due to the expectation for a different registry key from the one usually used:"DisabledByDefault"=dword:00000001

Solution

An Enhancement Request RMADFE-2001 has been submitted to add the required Registry Key

Workaround

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]

"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]

"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]

"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]

"Enabled"=dword:00000000

Side Note

It is possible that even with the Registry Keys above, the error message persist.

In that case, please make sure to remove any legacy modules and binaries from previous version of SQL Server as those can generate conflicts.

If the issue continues, use a UDL file to test the native communication to the SQL server. If you experience the same error using the UDL file, there is a native communication issue that needs to be resolved before RMAD will work:

1. Create a file named test.udl on the RMAD server
2. Double click the file to invoke it
3. Enter the name of the SQL server, and instance if applicable
4. Ensure Use Windows Integrated is selected
5. Click Test Connection
6. Click the dropdown, select one of the databases in the list and click Test Connection

Also ensure the account you are running the Online Restore Wizard as has db_owner rights on the database or if you want to use minimal permissions the account must be assigned to db_datareader, db_datawriter roles and have rights to execute all the usp_* procedures, as follows:

• usp_GetSummaryReportBody
• usp_GetSessionErrors
• usp_GetReportsList
• usp_GetReportsHeader
• usp_GetReportBody
• usp_GetReplicationHistory
• usp_GetOptionalObjects
• usp_GetOptionalAttributes
• usp_GetObjectChildren
• usp_GetObjectAttributes
• usp_GetAllObjects
• usp_GetAllChildObjects
• usp_GetAllAttributes