SECDoClientHandshake() SSL Security error connecting SQL Server when you try to install Microsoft Dynamics CRM Server 2016

This article provides a solution to an error that occurs when you try to install Microsoft Dynamics CRM Server 2016.

Applies to:   Microsoft Dynamics CRM Server 2016
Original KB number:   4077486

Symptoms

When you try to install Dynamics CRM Server 2016, the Environment Diagnostics wizard fails with this error message:

Error| Check SqlServerValidator : Failure: Could not connect to the following SQL Server: 'Server Name'. Verify that the server is up and running and that you have SQL Server administrative credentials. [DBNETLIB][ConnectionOpen (SECDoClientHandshake()).]SSL Security error.

Cause

The Dynamics CRM Server 2016 wizard requires connectivity check through Microsoft OLE DB Provider for SQL Server to start database creation. The installation documentation lists software installed during the setup. It includes the Install or upgrade Microsoft Dynamics CRM Server. The setup uses this native client and during the phase of the configuration database creation, OLE DB connection is required.

This connectivity failure reproduces when a test connection is created for the given SQL Server through a Universal Data Link (UDL) file.

1. Open Notepad.
2. Save the file as Connectivity Test.udl and file type as All Files.
3. Open the saved file.
4. Select Microsoft OLE DB Provider for SQL Server as the provider.
5. Provide server connection and authentication details.
6. Test the connection or open list of databases.
7. The connection fails with same error message.

It fails because the secured connection between the Dynamics CRM Server 2016 and the SQL Server needs TLS 1.0 to be enabled for the OLE DB Provider for SQL Server. And the SQL Server may not have TLS 1.0 enabled for secure channel communication.

The connectivity may fail even if TLS 1.1 or 1.2 is enabled on the SQL Server as the OLE DB Provider for SQL Server supports only TLS 1.0. Support for TLS 1.2 is provided for the providers listed in this article.

Resolution

Enable TLS 1.0 for Microsoft OLE DB Provider for SQL Server on SQL Server. TLS 1.0 can be enabled with the following registry changes:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000000

If the organization policy requires TLS 1.0 to be disabled, it can be done after the installation completes:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000001

TLS 1.0 may also need to be enabled on Dynamics CRM Server 2016 as client.

More information

TLS 1.0 can be disabled on SQL Server and Dynamics CRM Server 2016 after the installation completes if the organization policy needs TLS 1.0 disabled.

References

• SQL Server Native Client
• Install or upgrade Microsoft Dynamics CRM Server
• KB3135244 - TLS 1.2 support for Microsoft SQL Server
• Enable and Disable TLS 1.0
• Microsoft OLE DB Provider for SQL Server Overview