question

sakuraime avatar image
0 Votes"
sakuraime asked ·

SQL SSL encryption connection error The target principal name is incorrect

I have a faliover cluster SQL 2012 , and I have a self install Certificate Auth (CA) on one of my server under the same domain . I generate a certificate with CN=sqlvname.domain.com and also SAN for the FQDN of the physical nodes.

While I use the SSMS on the cluster node , it can successfully connect , (Encrypt connection) .

However on other server , also use SSMS to connect , to sqlvname.domain.com, it says
79454-image.png




any issues can think of ???


with using Trust certificate, it can connect. But I remember , we should not Trust the certificate , and let the client to verify the cert.

sql-server-general
image.png (78.7 KiB)
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I found interestingly , only provide sqlvname during the connection can finally successully do the encryption.


however provide sqlvname.domain.com < can't ......

0 Votes 0 ·

1 Answer

AmeliaGu-msft avatar image
0 Votes"
AmeliaGu-msft answered ·

Hi sakuraime,

To enable an SSL certificate on a SQL Server cluster, have you specified the certificate used by SQL Server to encrypt connections in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.x\MSSQLServer\SuperSocketNetLib\Certificate? This key contains a property of the certificate known as thumbprint that identifies each certificate in the server. In a clustered environment, this key will be set to Null even though the correct certificate exists in the store.
And for the client to request the SSL encryption, the client computer must trust the server certificate and the certificate must already exist on the server.
Please refer to How to enable SSL encryption for an instance of SQL Server and How to Enable SSL Certificate-Based Encryption on a SQL Server Failover Cluster which might help.

Best Regards,
Amelia


· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

yes I , ready done that ..

but my question is

I found interestingly , only provide sqlvname during the connection can finally successully do the encryption.


however provide sqlvname.domain.com < can't ......

and sqlvname.domain.com is the CN of the cert .

0 Votes 0 ·