Summary

This article contains information about establishing an SQL connection over TLS 1.2 using InstallShield.

Synopsis

Including SQL scripts in a Basic MSI project is organized by connection. No script can run on a server until a connection has been established. InstallShield requires a SQL Server ODBC driver or OLE DB provider to use the SQL Scripting functionality.

Discussion

If you want to use the new capabilities that Microsoft SQL Server offers, and you want to employ TLS 1.2 (Transport Layer Security 1.2) you must configure InstallShield to use a driver that supports them. Otherwise, InstallShield SQL connection will not work.

The default ISSQLDBMetaData entry for Microsoft SQL Server is configured to use a SQL Server OLE DB provider. A change is required to use a different OLE DB provider and you have to change the value of the AdoDriverName column specific to that provider. Since connection strings for ODBC drivers are different from OLE DB providers, more settings may need to be changed in your InstallShield project.

This article is intended to provide the manual settings required in the IDE when targeting connections through TLS 1.2. This is a non-exhaustive list. Some of the various connection issues you may experience are described below. Each one may require any or all of the specific settings required for TLS found in the Additional Information section below:

• Provider cannot be found. It may not be properly installed.
• A network-related or instance-specific error has occurred while establishing a connection to SQL Server (-2146893007).
• ODBC Driver 11 for SQL Server invalid connection string (0).
• SQL Server Native Client 11.0 SSL Provider. The client and server cannot communicate because they do not possess a common algorithm.
• SQLState: '08001' SQL Server Error 18. See Knowledge Base article Installer is unable to create a database connection - working with TLS 1.2.

After the expected TLS settings are established and enabled on the server and client in your environment manually and you have added a connection through the InstallShield IDE, change the InstallShield project manually to allow connection. These changes are specific to allow the SQL connection to use ODBC Driver for SQL Server compliant with TLS 1.2.

NOTE: The table ISSQLDBMetaData is populated with data after a New SQL Connection is added in the IDE. For more information, see SQL Scripts View.

Step 1: Modify the Property Manager Specifying a New Value

Modify the Property Manager specifying a new value. In this step navigate to Behavior and Logic > Property Manager. Locate the property IS_SQLSERVER_NETLIB_MS and change its value.

Property Manager

Step 2: Use Direct Editor to Modify Data

Using the Direct Editor, change all of the data specified below in the ISSQLDBMetaData table.

ISSQLDBMetaData table

Related Documents

• Introducing TLS v1.2
• Microsoft ODBC Driver for SQL Server
  
  NOTE: The KB #3135244 from Microsoft is very relevant and should be an article used for reference with any matter involved with TLS 1.2.
• TLS 1.2 support for Microsoft SQL Server

Additional Information

The following is a list of details implied to be established when working with TLS 1.2.

• SQL Server version and cumulative update/patched per Microsoft specification. Reference KB #3135244.
• .Net 4.5 or newer installed.
• TLS/SSL settings established found here: TLS/SSL Settings.
• Ensure SQL server service is running on server.
• TLS 1.0 and TLS 1.1 disabled in the Registry.
• Certification authority with the hash algorithm as SHA 256.
• SQL Server Native Client drivers installed (see KB #3135244).
• ODBC Driver for SQL Server installed (see KB #3135244).
• Specific Operating System Updates with TLS 1.2 support established (see KB #3135244).
• SChannel key block - Restrict protocol communication on servers to TLS 1.2 only in the Registry.
• Ensure the SChannel data in the Registry under ..\SCHANNEL\Protocols\TLS 1.2 includes both Client and Server (Image below).

NOTE: When working with or changing SChannel key block or any of the GPO (Group Policy) settings it is recommended both server and client be restarted.