I said earlier that I have bunch of *good* friends who remember me whenever they get any issue with SQL Server. So I got a call from my friend and he told that he is not able to connect to SQL Server from some client. Since it’s only few client, we can easily rule out the issue with SQL Engine not allowing connection. I asked him to connect via SQL Server Management Studio and got below error.
TITLE: Connect to Server
Cannot connect to SQLDBServer.
A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 0 – The token supplied to the function is invalid) (Microsoft SQL Server, Error: -2146893048)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&EvtSrc=MSSQLServer&EvtID=-2146893048&LinkId=20476
Did basic troubleshooting as below
- Tested basic connectivity like ping, telnet etc. everything is working fine, except the connection to SQL engine from this machine.
- Error message says SSL but there was no certificate used in SQL Server.
- There was no certificate used.
Next major task is to find out what is the difference in both servers. So I asked him what were the things done on “bad” client. He said that he applied bunch on Windows updates. Looking at list I found one which talks about SSL.
http://support.microsoft.com/kb/2643584 (MS12-006: Vulnerability in SSL/TLS could allow information disclosure: January 10, 2012)
We check the machines and found that SendExtraRecord was 1 on “bad” client whereas other “good” clients it was 2.
Here were the steps taken to solve the issue. (taken from KB)
- Click Start, click Run, type regedit in the Open box, and then click OK.
- Locate and then click the following subkey in the registry:
- On the Edit menu, point to New, and then click DWORD Value.
- Type SendExtraRecord for the name of the DWORD value, and then press Enter.
- Right-click SendExtraRecord, and then click Modify.
- In the Value data box, type 2 to disable the split record in schannel, and then click OK.
- Exit Registry Editor.
In our case it was 1 and making it 2 fixed the issue and were were able to covert bad clients to good clients.
Hope this helps.