A recent vulnerability scan had flagged that the GPO to disable tls1 (think PCIDSS) wasn’t picked up by all systems that it should.
The reasons why it wasn’t are out of scope of this blog post.
What is worth discussing however is that, once this has been rectified and tls1 was disabled then Veeam Backup & Replication 9.5 could no longer do the application aware processing on MS SQL instances running on these machines.
Here is what Veeam console reported:
Unable to truncate Microsoft SQL Server transaction logs. Details: Failed to process 'TruncateSQLLog' command. Failed to truncate SQL server transaction logs for instances: MYINSTANCE. See guest helper log.
Ok, so checking the helper log I found these,
7/11/2018 3:23:04 AM 4328 Using default SQL provider 'sqloledb' to connect to SQL server 7/11/2018 3:23:04 AM 4328 INFO Connecting to mssql, connection string: Provider='sqloledb';Data Source='(local)';Integrated Security='SSPI';Persist Security Info=False, timeout: 15 7/11/2018 3:23:22 AM 4328 WARN Code = 0x80004005 7/11/2018 3:23:22 AM 4328 WARN Code meaning = Unspecified error 7/11/2018 3:23:22 AM 4328 WARN Source = Microsoft OLE DB Provider for SQL Server 7/11/2018 3:23:22 AM 4328 WARN Description = [DBNETLIB][ConnectionOpen (SECCreateCredentials()).]SSL Security error. 7/11/2018 3:23:22 AM 4328 WARN COM error: Code: 0x80004005
Once I saw that SSL Security error, it was obvious to me that this was related to recent tls1 disablement.
Just to be sure, I’ve enabled tls1 on one of the affected machines, and the warning went away on the next scheduled backup.
While I can’t find the exact url to the post on MSDN that brought me to resolution, the said post suggested that that enabling SQL Native Client Provider should do the trick.
This needs to be done on every machine running MS SQL that Veeam backups using the application aware processing.
So in order to get that going create the registry key (DWORD) with a value of 1
HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\UseSqlNativeClientProvider
I’ve also had the machine rebooted, but not sure if it was required.