locked
SQL Server 2005 Profiler - SSL certificate error RRS feed

  • Question

  • We have turned on encryption over SSL for a SQL 2005 cluster and receive the following error when trying to connect to an instance for SQL Server Profiler:

    Cannot connect to virtual_name\test.

    ------------------------------
    ADDITIONAL INFORMATION:

    Client unable to establish connection
    SSL Provider: The certificate's CN name does not match the passed value.

     (pfutil90)

    ------------------------------

    The CN = virtual_name in the above error. Any assistance would be greatly appreciated.

    Monday, December 9, 2013 6:07 PM

All replies

  • Hello,

    The issue may caused by the virtual name of the certificate. According to the BOL:
    If you want to use encryption with a failover cluster, you must install the server certificate with the fully qualified DNS name of the failover clustered instance on all nodes in the failover cluster. For example, if you have a two-node cluster, with nodes named test1.your company.com and test2. your company.com and a failover clustered instance of SQL Server named fcisql, you must obtain a certificate for fcisql.your company.com and install the certificate on both nodes.

    Reference:Enabling Certificate for SSL on a SQL Server 2005 Clustered Installation
    Implementing SSL encryption for SQL Server in a DNS forwarding environment

    Regards,
    Fanny Liu


    Fanny Liu
    TechNet Community Support

    • Marked as answer by caveney Tuesday, December 10, 2013 6:53 PM
    • Unmarked as answer by caveney Friday, December 13, 2013 2:40 PM
    Tuesday, December 10, 2013 7:50 AM
  • Profiler in fact did not like the \instance_name. I have virtual_name.fqdn.com and a SANs of the shortname of just virtual_name. adding \instance_name rejects the connection. Thank you for your response, Fanny.
    • Marked as answer by caveney Tuesday, December 10, 2013 6:53 PM
    • Unmarked as answer by caveney Friday, December 13, 2013 2:40 PM
    Tuesday, December 10, 2013 6:53 PM
  • I spoke too soon. This issue is not resolved. Without a single change to the certificate or cluster, it is now kicking back the same error message

    Cannot connect to virtual_name\test.

    ------------------------------
    ADDITIONAL INFORMATION:

    Client unable to establish connection
    SSL Provider: The certificate's CN name does not match the passed value.

    Friday, December 13, 2013 2:39 PM
  • Hi,

    Install client certificate for Virtual server name ( virtual server name.domain.com) which is issued by CA on each node. Mostly this is done by the Network and system admin teams.After certificate installation the installed certificate will be listed on certificate tab(instance Protocols - properties) . Choose the certifiate and restart the SQL Server.

    Thanks . Sajith


    http://sqllive.wordpress.com/

    • Proposed as answer by Fanny Liu Monday, December 23, 2013 2:27 AM
    Sunday, December 15, 2013 11:02 AM
  • this is a cluster, so it does not show up in the list of certificates in sql configuration manager. this is by design and not an issue. I have generated the certificate CN as the FQDN, as well as SANs to cover shortname of each physical hostname, and instances of SQL.

    Thanks,

    -Patrick

    Friday, December 27, 2013 5:15 PM