Solution : Connectivity Error – Provider: SSL Provider, error: 0 – The token supplied to the function is invalid

November 2014
M	T	W	T	F	S	S
	1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30

Posted by blakhani on November 14, 2014

I said earlier that I have bunch of *good* friends who remember me whenever they get any issue with SQL Server. So I got a call from my friend and he told that he is not able to connect to SQL Server from some client. Since it’s only few client, we can easily rule out the issue with SQL Engine not allowing connection. I asked him to connect via SQL Server Management Studio and got below error.

TITLE: Connect to Server
——————————
Cannot connect to SQLDBServer.
——————————
ADDITIONAL INFORMATION:
A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 0 – The token supplied to the function is invalid) (Microsoft SQL Server, Error: -2146893048)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&EvtSrc=MSSQLServer&EvtID=-2146893048&LinkId=20476
——————————
BUTTONS:
OK
——————————

Did basic troubleshooting as below

Tested basic connectivity like ping, telnet etc. everything is working fine, except the connection to SQL engine from this machine.
Error message says SSL but there was no certificate used in SQL Server.
There was no certificate used.

Next major task is to find out what is the difference in both servers. So I asked him what were the things done on “bad” client. He said that he applied bunch on Windows updates. Looking at list I found one which talks about SSL.

http://support.microsoft.com/kb/2643584 (MS12-006: Vulnerability in SSL/TLS could allow information disclosure: January 10, 2012)

We check the machines and found that SendExtraRecord was 1 on “bad” client whereas other “good” clients it was 2.

Here were the steps taken to solve the issue. (taken from KB)

Click Start, click Run, type regedit in the Open box, and then click OK.
Locate and then click the following subkey in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
On the Edit menu, point to New, and then click DWORD Value.
Type SendExtraRecord for the name of the DWORD value, and then press Enter.
Right-click SendExtraRecord, and then click Modify.
In the Value data box, type 2 to disable the split record in schannel, and then click OK.
Exit Registry Editor.

In our case it was 1 and making it 2 fixed the issue and were were able to covert bad clients to good clients.

Hope this helps.

Cheers,
Balmukund

This entry was posted on November 14, 2014 at 3:30 AM and is filed under Connectivity, Error. Tagged: pre-login handshake, SQL, SSL Provider, The token supplied to the function is invalid. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Help: SQL Server

Sharing my knowlege about SQL Server Troubleshooting Skills

Blog Stats

Blogroll

Select GETDATE()

Subscribe

Follow Blog via Email

Date < getdate()

Select location from world

Meta

Leave a Reply Cancel reply