SQL Connection Error when credentials are correct
Problem
In certain circumstances, iQSonar reports a credential failure when attempting to connect to an MS SQL server, even though the credentials are actually correct.
This occurs when there is a miss-match between the versions of SSL enabled on the target server and on the scan engine server
Background
There are known weaknesses in the earlier versions of the SSL protocol. These weaknesses are addressed in newer versions of the protocol.
When configuring new servers, it is best practice to disable access to TLS 1.0 / 1.1, and certain configuration options do this by default. However if the scan engine is required to scan targets that do not automatically apply all updates from Microsoft, it is possible that customers may encounter a scenario where the target server only supports TLS 1.0/1.1, and the scan engine is configured to use TLS 1.2/1.3 only. This will result in the scan engine being unable to connect to the SQL server on the target.
If "normal" level logging is configured, the error in the log file will simply reflect a credential failure.
If "debug logging" is enabled for the TSQL connection type, the following error may be found in the log file:
System.Data.SqlClient.SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The client and server cannot communicate, because they do not possess a common algorithm.)
Solution
Recommended:
Apply security updates to the target SQL servers. See this page from Microsoft for details.
Alternative work-around:
If it is not possible to update the target sql servers to enable TLS 1.2, then you may wish to enable TLS 1.0/1.1 on the scan engine. This represents a security risk however and is not best practice.
Related articles