none
channel binding error when EPA is required and connection is encrypted

    Question

  • SQL Server 2008 R2, Force Encryption is ON, Extended Protection for Authentication is REQUIRED, the service SPN is defined successfully.

    when I try to connect with SSMS using my Windows creds, I receive this channel binding error:

    SSPI handshake failed with error code 0x80090346, state 46 while establishing a connection with integrated security; the connection has been closed. Reason: The Channel Bindings from this client are missing or do not match the established Transport Layer Security (TLS) Channel. The service might be under attack, or the data provider or client operating system might need to be upgraded to support Extended Protection. Closing the connection.

    If force encryption is set to OFF, the connection succeeds.

    Any quick thoughts? thx

    Thursday, August 22, 2013 5:48 PM

Answers

  • Hi JustKevin,

    When the extended protection for authentication was set to required, only connections from protected applications on protected operating systems are accepted. This setting is the most secure but connections from operating systems or applications that do not support Extended Protection will not be able to connect to SQL Server.

    There is more details about how to connect to the Database Engine by using extended protection. You can review the following article.
    http://technet.microsoft.com/en-us/library/ff487261.aspx

    Thanks,
    Sofiya Li


    Sofiya Li
    TechNet Community Support

    Friday, August 23, 2013 3:19 PM