KB4017023 - SQL Server 2012, 2014 or 2016 Backup to Microsoft Azure Blob storage service URL isn't compatible for TLS 1.2

Applies to: SQL Server 2014 DeveloperSQL Server 2014 EnterpriseSQL Server 2014 Enterprise Core

Symptoms


Assume that you are using Microsoft SQL Server 2012, 2014 or 2016. When you backup a database to Microsoft Azure Blob storage service URL, the operation may fail and you will receive the following error messages both at the client side and in the SQL Server error log.

SQL Server client error

SQL Server error log

<DateTime>    ======== BackupToUrl Initiated =========<DateTime> Inputs: Backup = True, PageBlob= True, URI = https://<BlobStorageServerName>.blob.core.windows.net/sqlbackup/<DB_Backup_Name.bak>, Acct= lbtesting2096, Key= KeyValue, FORMAT= False, Instance Name = MSSQLSERVER, DBName = <DB_Name> LogPath = C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Log<DateTime>    Process Id: 3668<DateTime>     Time for Initialization = 202.7451 ms<DateTime>    BackupToUrl Client is getting configuration from SqlServr<DateTime>    Time for Handshake and VDI config = 31.2507 ms<DateTime>    Time for Get BlobRef = 15.6263 ms<DateTime>    Time for - EXCEPTION Get Fetchattributes = 45364.4979 ms<DateTime>    An exception occurred during communication with Azure Storage, exception information follows<DateTime>    Exception Info: The underlying connection was closed: An unexpected error occurred on a receive.<DateTime>    Stack:    at Microsoft.WindowsAzure.Storage.Core.Executor.Executor.ExecuteSync[T](StorageCommandBase`1 cmd, IRetryPolicy policy, OperationContext operationContext)   at BackupToUrl.Program.MainInternal(String[] args)<DateTime>    The Active queue had 1 requests until we got a clear error.

This error occurs if your client server enabled Transport Layer Security (TLS) protocol version 1.2 with the following registry.

Workaround for SQL Server 2012


This issue happens if the installed .Net Framework has a preference for TLS 1.0 although it supports TLS 1.2. 

There is no fix available for SQL Server 2012. To workaround this issue for SQL Server 2012 to enable strong cryptography, you can do the following: 

  • Backup the registry
  • Open Registry Editor, and navigate to the following registry subkeys: HKLM\software\Wow6432Node\Microsoft.NETFramework\ and HKLM\software\microsoft.NETFramework\
  • Under each of these keys, subkeys the version numbers (like v4.5, v4.5.1) exists. Add a DWORD value named SchUseStrongCrypto with value 1 for each version. 
  • Under HKLM\Software\Microsoft.NetFramework, key names do not have to be exactly 4.5 or 4.5.1. Mostly they will start from v2.0XXX, v3.0XXX and v4.0XXX. DWORD value named 'SchUseStrongCrypto' with value 1 should be added for all versions available. 
  • Reboot the SQL Server machine.  

Note: You can also try to install .Net Framework 4.8. By default, .NET Framework 4.7 and later versions are configured to use TLS 1.2 and allow connections using TLS 1.1 or TLS 1.0.

References


Learn about the terminology that Microsoft uses to describe software updates.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.