edvaldo b. guimarães filho

Enabling SSL/TLS Encryption for SQL Server in SharePoint Environments

Enabling SSL/TLS Encryption for SQL Server in SharePoint Environments

Introduction

In enterprise-grade SharePoint environments, securing the communication between SharePoint servers and SQL Server is paramount. By default, data exchanged between SQL Server and its clients is not encrypted, leaving it vulnerable to interception on the network.

To comply with security standards such as ISO 27001, HIPAA, GDPR, or LGPD, it is highly recommended to implement SSL/TLS encryption for SQL Server connections—particularly when deploying SharePoint farms across subnets, virtual networks, or hybrid topologies.

This article explains, in detail, how to configure SQL Server to enforce encryption using SSL/TLS, and how to validate that encryption is active in SharePoint.

Why Use SSL/TLS for SQL Server?

  • Data Confidentiality: Prevents packet sniffing and man-in-the-middle (MITM) attacks.
  • Compliance: Required by industry standards and internal audit policies.
  • Authentication: Validates the SQL Server identity using digital certificates.
  • Secure Administration: Encrypts communication during management via SSMS or PowerShell.

Prerequisites

Before configuring encryption:

  1. Obtain a valid X.509 certificate:
    • Issued by an internal or external Certificate Authority (CA).
    • Must have the FQDN of the SQL Server in the Subject or Subject Alternative Name (SAN).
    • Key usage should include Server Authentication (EKU=1.3.6.1.5.5.7.3.1).
  2. Install the certificate:
    • Place it in the Local Computer > Personal store on the SQL Server machine.

Configuring SSL/TLS Encryption for SQL Server

Step 1: Bind the Certificate

  1. Open SQL Server Configuration Manager.
  2. Go to SQL Server Network Configuration > Protocols for [Instance Name].
  3. Right-click Properties > Go to the Certificate tab.
  4. Select the installed certificate from the dropdown.
  5. On the Flags tab:
    • Set Force Encryption to Yes.
  6. Restart the SQL Server service.

Note: Ensure the SQL Server service account has read access to the private key of the certificate.

Step 2: Configure Client Encryption in SharePoint

SharePoint communicates with SQL Server using .NET clients. If you enforce encryption, clients must also be configured to trust the SQL Server certificate.

Edit the SQL Native Client or .NET connection string to include:

Encrypt=True;TrustServerCertificate=False;

For SharePoint:

  1. Open Central Administration > Manage Servers in this Farm.
  2. Ensure all servers can validate the SQL Server’s certificate chain.
  3. If needed, deploy the CA certificate to Trusted Root Certification Authorities on SharePoint servers.

Alternatively, use TrustServerCertificate=True if the certificate is self-signed—but this is not recommended for production.

Verifying Encrypted SQL Connections

Option 1: SQL Server DMV Query

Run the following query on SQL Server:

SELECT session_id, encrypt_option, net_transport
FROM sys.dm_exec_connections
WHERE session_id = @@SPID;
  • encrypt_option should return TRUE.

Option 2: Wireshark Packet Capture

Capture network traffic on port 1433:

  • Look for TLS handshake.
  • Plaintext SQL queries should not be visible.

PowerShell Script to Deploy Certificate and Verify

Here is a PowerShell snippet to check certificate presence and test binding:

$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {
    $_.Subject -like "*your-sql-fqdn.domain.com*" -and
    $_.EnhancedKeyUsageList.FriendlyName -contains "Server Authentication"
}

if ($cert) {
    Write-Output "Certificate found and valid for SSL."
} else {
    Write-Warning "Valid certificate not found."
}

Troubleshooting Tips

IssueCauseSolution
Connection fails after enabling SSLInvalid or untrusted certificateEnsure the certificate is valid and trusted on the client
SQL Server doesn’t use the certificateCertificate not selected or wrong SANRebind and ensure FQDN matches certificate subject
SharePoint cannot connect after changeCertificate trust issue or missing Encrypt settingsUse TrustServerCertificate=True for testing (not production)
SSMS shows “encryption not enabled”Encryption not forced or misconfiguredSet Force Encryption = Yes and restart SQL Server

Summary Table: SSL/TLS Configuration Steps

StepActionTool/Location
1Generate or import certificateCertificate Authority / MMC
2Install cert in LocalMachine\My storecertlm.msc
3Bind cert to SQL instanceSQL Server Configuration Manager
4Enable Force EncryptionSQL Server Configuration Manager
5Restart SQL ServerServices.msc or SQL Server Configuration Tool
6Configure SharePoint servers to trust certMMC + Group Policy (if needed)
7Validate using DMV or WiresharkSQL Server / Network Tools

References

Edvaldo Guimrães Filho Avatar

Published by

Edvaldo Guimrães Filho
With over 30 years of professional experience as a System and Business Analyst, Project Manager, and Technical Marketing and Sales Support Leader, including 20 years specializing in SharePoint and 5 years in Business AI Transformation, I have worked across various industries and markets. I have had the privilege of collaborating with top 500 Brazilian companies such as DASA, Siemens, Telefónica, Heineken, K2, Comgas/Raízen/Shell, Cognizant, Coty, Hypermarcas, Banco Itaú, Cobrape, Natura, Stefanini, Braskem, Nestlé, Avanade, TIM, Infoserver, SysMap, Vivo, Apsen, Siemens, EDS, Duracell, KPMG, Petrobras, CESP, TV Record, Método Engenharia, and MSD (Merck Sharp & Dohme). Today, I manage, project, and develop solutions and integrations using the following technological platforms: SharePoint, Microsoft 365, Power Platform, Power BI, C#, SQL, Python, JavaScript, React, IoT, C/C++, CAD, and 3D Printing.
Categories: