Troubleshooting Encrypted SQL Connections
search cancel

Troubleshooting Encrypted SQL Connections

book

Article ID: 393796

calendar_today

Updated On: 04-09-2025

Products

Carbon Black App Control

Issue/Introduction

Steps for troubleshooting encrypted SQL Server connections between the App Control Server and the remote SQL Server

Environment

  • App Control Server: All Supported Versions
  • Microsoft SQL Server: All Supported Versions
  • Microsoft Windows Server: All Supported Versions
  • Two Tier Environment

Resolution

Important Notes:

  • When App Control is installed in a Single Tier environment, Shared Memory should be used. 
  • Configuring SQL Server Encryption is outside the scope of Carbon Black Support and may require assistance from Microsoft for proper configuration.
  • In some instances, until Force Encryption in SQL Server is set to Yes, encrypted communication might not be used.
  1. Verify ForceEncryption and Certificate settings
    1. Launch SQL Server Configuration Manager and expand SQL Server Network Configuration.
    2. Right click Protocols for MSSQLSERVER > Properties
    3. Under Flags verify Force Encryption is set to Yes
    4. Choose Certificate and verify the correct Certificate is chosen.
  2. Verify Certificate settings
    1. On SQL Server open Local Computer Certificates (Start > Run > certlm.msc > Ok)
    2. Expand Certificates > Personal > Certificates > relevant Certificate > All Tasks > Manage Private Keys
    3. Verify the Identity for the SQL Server service is granted Full Control and Read permissions.
    4. Verify the Public version of the same Certificate is imported on the server hosting the Console in Trusted Root Certification Authorities.
  3. Restart SQL Server if any changes are made.
  4. Verify connections via SQL Server Management Studio
    1. Run SQL Server Management Studio from the application server hosting the Console, as the Carbon Black Service Account.
    2. Connect to the remote SQL Server and execute the query:
      SELECT Program_Name, net_transport, encrypt_option, auth_scheme, client_net_address
      FROM sys.dm_exec_connections AS c
      JOIN sys.dm_exec_sessions AS s ON c.session_id = s.session_id
      ORDER BY Program_Name
    3. Verify Carbon Black App Control and .Net SqlClient Data Provider both show
      • net_transport:TCP
      • encrypt_option: TRUE