Disabling TLS1, Veeam Backup & Replication 9.5 Failed to truncate Microsoft SQL Server transaction logs – 0x80004005

by

A recent vulnerability scan had flagged that the GPO to disable tls1 (think PCIDSS) wasn’t picked up by all systems that it should.

The reasons why it wasn’t are out of scope of this blog post.

What is worth discussing however is that, once this has been rectified and tls1 was disabled then Veeam Backup & Replication 9.5 could no longer do the application aware processing on MS SQL instances running on these machines.

Here is what Veeam console reported:

Unable to truncate Microsoft SQL Server transaction logs. Details: Failed to process 'TruncateSQLLog' command. Failed to truncate SQL server transaction logs for instances: MYINSTANCE. See guest helper log.

Ok, so checking the helper log I found these,

7/11/2018 3:23:04 AM   4328                  Using default SQL provider 'sqloledb' to connect to SQL server
7/11/2018 3:23:04 AM   4328  INFO            Connecting to mssql, connection string: Provider='sqloledb';Data Source='(local)';Integrated Security='SSPI';Persist Security Info=False, timeout: 15
7/11/2018 3:23:22 AM   4328  WARN                	Code = 0x80004005
7/11/2018 3:23:22 AM   4328  WARN                	Code meaning = Unspecified error
7/11/2018 3:23:22 AM   4328  WARN                	Source = Microsoft OLE DB Provider for SQL Server
7/11/2018 3:23:22 AM   4328  WARN                	Description = [DBNETLIB][ConnectionOpen (SECCreateCredentials()).]SSL Security error.
7/11/2018 3:23:22 AM   4328  WARN                COM error:  Code: 0x80004005

Once I saw that SSL Security error, it was obvious to me that this was related to recent tls1 disablement.

Just to be sure, I’ve enabled tls1 on one of the affected machines, and the warning went away on the next scheduled backup.

While I can’t find the exact url to the post on MSDN that brought me to resolution, the said post suggested that that enabling SQL Native Client Provider should do the trick.

This needs to be done on every machine running MS SQL that Veeam backups using the application aware processing.

So in order to get that going create the registry key (DWORD) with a value of 1

HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\UseSqlNativeClientProvider

I’ve also had the machine rebooted, but not sure if it was required.