Download Presentation

Uploaded on


  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Using Encryption with Microsoft SQL Server 2000 Kevin McDonnell Technical Lead SQL Server Support Microsoft Corporation
  • 2. Presentation Content
    • We will discuss how to set up Microsoft® SQL Server™ 2000 with SSL encryption
    • This is not a discussion on Certificate Server, PKI, or an in-depth discussion of SSL
  • 3. Data Encryption SQL Server 7.0 vs. SQL Server 2000
    • In SQL Server 7.0, we used the Multiprotocol library and enabled the encryption option
      • Not strong encryption
      • Requires additional protocol MSRPC
      • Requires additional ports opened on the firewall
      • Not supported for named instances
    • SQL Server 2000
      • Strong encryption
      • Uses only the TCP protocol
  • 4. SQL Server 2000 Encryption
    • There is no wizard to install a certificate
    • There is no SQL GUI to manage certificates
    • There is no way to identify which connections are encrypted and which connections are not
    • There is no SQL GUI to verify a certificate is valid
    • The certificate is read on the server during SQL Server startup
  • 5. SQL Server 2000 Overview Net-Library Architecture TCP IPX/SPX Net-Library Router Encryption Layer SSNetLib - Server Socket Net-Library SQL Server
  • 6. SQL Server 2000 Client Overview
    • Requires MDAC 2.6 or later to be installed
    • Does not require SQL Server 2000 Tools
    • Programmers can request SSL encryption in their connection string
      • ODBC : Encrypt = Yes
      • Oledb : Use Encryption for Data = True
  • 7. SQL Server 2000 Client Overview Net-Library Architecture Client Application Oledb Provider or ODBC Driver Client Net-Library DBNetlib.dll TCP IPX/SPX Net-Library Router Encryption Layer
  • 8. Certificate Request From a Microsoft Certificate Authority Server Web request: Use advanced request using a form. Change certificate template to Web Server. Web request: Use advanced request using a form. Must specify virtual server name. Virtual SQL Server 2000 Cluster MMC request. Web request: Use advanced request using a form. SQL Server 2000 Enterprise CA Stand-Alone CA
  • 9. Encryption Planning for SQL Server 2000 Enabling SSL Encryption from the Server
    • Use the SQL Server Network Utility
    • Forces all incoming connections to be encrypted
    • Install server certificate only
    • All or nothing — the server will not start if the certificate is not found or is invalid
  • 10. Encryption Planning for SQL Server 2000 (2) Enabling Encryption from the Client Using the Client Network Utility
    • Use the SQL Server Client Network Utility
    • Forces all client connections to be encrypted
    • Can no longer connect to SQL Server 7.0
    • Install server certificate — client requires updated Trusted Root Authority
  • 11. Certificate Request From a Stand-Alone CA
  • 12. Certificate Request Change the Intended Purpose
  • 13. Certificate Request Certificate Store Location
  • 14. Certificate Request Submit Certificate Request to CA
  • 15. Certificate Request Pending CA Approval
  • 16. Certificate Request Check on a Pending Certificate
  • 17. Certificate Request Select the Certificate Request You Want To Check
  • 18. Certificate Request Install the Certificate
  • 19. View Certificate in MMC
  • 20. Certificate General Information
  • 21. SQL Server 2000 Server Network Utility
    • Select the “Force protocol encryption” check box to enable SSL encryption
  • 22. SQL 2000 Server Registry
    • The registry that shows server-enabled encryption is: HKLMSoftwareMicrosoftMSSQLServerMSSQLServerSuperSocketNetLib
  • 23. Certificate Request From an Enterprise CA
  • 24. Certificate Request Using MMC
  • 25. Certificate Request (2) Using MMC
  • 26. Certificate Request (3) Using MMC
  • 27. Certificate Request (4) Using MMC
  • 28. Certificate Request (5) Using MMC
  • 29. Client Request for Encryption
    • The SQL Server must have the certificate installed
    • The client computer must update the Trusted Root Authority
    • Export the Trusted Root Authority from the server and import it on the client computer
    • Enable “Force protocol encryption” from the SQL Client Network Utility or use the appropriate connection string
    • Recommended for SQL Server cluster
  • 30. SQL Server 2000 Client Network Utility
    • Enabling the “Force protocol encryption” option
  • 31. SQL Client Registry
    • Client registry: HKLMSoftwareMicrosoftMSSQLServerClientSuperSocketNetLib
  • 32. Sample ODBC Connection
  • 33. Knowledge Base Articles
    • Q309398, “PRB: SQL Server 2000 Installation Fails with "SSL Security error :ConnectionOpen (SECDoClientHandshake())" Error Message”
    • Q302409, “FIX: Unable to Connect to SQL Server 2000 When Certificate Authority Name Is the Same As the Host Name of the Windows 2000 Computer”
    • Q318605, “INF: How SQL Server Uses a Certificate When the Force Protocol Encryption Option is Set On”
    • Q316898, “HOW TO: Enable SSL Encryption for SQL Server 2000 with Microsoft Management Console”
    • Q276553, “HOW TO: Enable SSL Encryption for SQL Server 2000 with Certificate Server ”
  • 34. Known Issues
    • Microsoft® Visual Studio® .NET installs the Microsoft SQL Server Desktop Edition of SQL Server. If there are certificates on the computer that are not used for SQL Server, setup may fail.
    • See Q309398, “PRB: SQL Server 2000 Installation Fails with "SSL Security error :ConnectionOpen (SECDoClientHandshake())" Error Message.”
    • The SQL Server 2000 release required the certificate’s intended purpose to be client authentication.
    • Local store versus current user.
  • 35. SetCert Utility
    • Included with the SQL Server 2000 resource kit
    • Permits you to control the certificate used for SQL Server
  • 36. CAPICOM
    • Cryptographic COM component
    • Permits you to write scripts to manage certificate stores
    Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. Subject Name: SHA-1 Thumbprint: 791B74BFD698B477F7768566365D44FE78BCEF9D Valid To: 3/12/2003 2:34:49 PM Extended Key Usage: Server Authentication(
  • 37. Summary
    • SQL Server 2000 encryption can be implemented from the server or client
    • The certificate must be installed on the server and the intended purpose must be server authentication
    • The SQL Server service account must be the same account that requested the certificate
    • If the client requests an encrypted connection, the Trusted Root Authority must be updated on the client computer
    • Certificates on a SQL Server cluster must be issued to the virtual SQL Server name
  • 38.
    • Thank you for joining us for Today’s Microsoft Support
    • WebCast.
    • For information on all upcoming Support WebCasts and
    • access to the archived content (streaming media files,
    • PowerPoint ® slides, and transcripts), please visit:
    • We sincerely appreciate your feedback. Please send any
    • comments or suggestions regarding the Support
    • WebCasts to [email_address]