Management Server Configuration Wizard on Endpoint Protection Manager fails to connect to the SQL database

book

Article ID: 156113

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You try to create the Symantec Endpoint Protection Manager (SEPM) database on your SQL server or run Management Server Configuration Wizard to reconfigure the database. You see the message, "Error 11501: Unable to create the database for Symantec Endpoint Protection Manager" or "Unable to connect to the database."

Error 11501: Unable to connect to the database. Make sure that you have entered the correct database parameters, and that the firewall is not blocking the connection, then try again. Please click here for more information.

 

The following error is written to the Microsoft SQL ERRORLOG:

2017-05-01 19:13:50.88 Logon       Error: 17835, Severity: 20, State: 1.
2017-05-01 19:13:50.88 Logon       Encryption is required to connect to this server but the client library does not support encryption; the connection has been closed. Please upgrade your client library. [CLIENT: 10.122.30.4]

Cause

  • In the Management Server Configuration Wizard, you need to choose SQL Authentication instead of Windows Authentication
  • Network connectivity between the Symantec Endpoint Protection Manager and the Microsoft SQL Server is unavailable
  • The TCP/IP protocol is disabled in Microsoft SQL Server itself
  • Force Encryption is enabled on SQL

Environment

2008 SQL server

2012 SQL server

2014 SQL server

Resolution

There are four problems that can cause this error message to appear.

In the Management Server Configuration Wizard, you need to choose SQL Authentication instead of Windows Authentication

The TCP/IP protocol is disabled in Microsoft SQL Server itself

In this case, enable the TCP/IP protocol in Microsoft SQL Server. To enable TCP/IP, follow the instructions for your version of Microsoft SQL Server:

  • Microsoft SQL Server 2000: In SQL Server Network Utility, add TCP/IP to the Enabled protocols list.
  • Microsoft SQL Server 2005 or 2008 or 2012: In SQL Server Configuration Manager, go to SQL Server Network Configuration > Protocols for MSSQLSERVER, and enable TCP/IP protocol.
    Once you enable the TCP/IP protocol, restart the SQL Server service.

Network connectivity between the Symantec Endpoint Protection Manager and the Microsoft SQL Server is unavailable

  • Ensure that the SEPM can communicate with the SQL server
  • Ensure that the SQL server's IP address is entered correctly in the Management Server Configuration Wizard.
  • Use the ping command to determine whether network traffic can flow between the SEPM computer and the SQL server.

Force Encryption is enabled on SQL (for SEP 12 only)

Forced encryption is not supported on SEP 12. The traffic between the SEPM and the SQL server is, by default, not encrypted. For this reason, we recommend co-locating the SEPM and SQL server on their own secure subnet. (Page 85 of the Implementation Guide for SEP 12.1.)

  • Open the SQL Server Configuration Manager
  • Expand SQL Server Network Configuration
  • Right click on Protocols for , click on Properties
  • Change Force encryption value to No

Once you enable the TCP/IP protocol, restart the SQL Server service

Note: As of SEP 14, the SEPM supports the communications with the SQL Server over a TLS-encrypted channel. Symantec provides a tool (SetSQLServerTLSEncryption.bat) to enable or disable TLS encryption between the management server and the Microsoft SQL Server. This tool is in the Tools folder of the SEPM directory structure. Force Encryption is supported in SEP 14 as long as the SEPM has TLS enabled (this is on by default). You can check by running C:\Program Files(x86)\Symantec\Symantec Endpoint Protection Manager\Tools\SetSQLServerTLSEncryption.bat at a command prompt.