Home > Forefront TMG 2010, Security Updates, Unified Access Gateway, Forefront UAG 2010, Threat Management Gateway, Security > Forefront TMG 2010 SQL Services Fail to Start After Disabling SSL 3.0

Forefront TMG 2010 SQL Services Fail to Start After Disabling SSL 3.0

November 20, 2014

When performing POODLE attack mitigation on the Forefront TMG 2010 firewall by disabling SSL 3.0, you may encounter a scenario in which TMG’s SQL services fail to start after a reboot.

Forefront TMG 2010 SQL Services Fail to Start After Disabling SSL 3.0

Looking through the Windows system event log you may see an error message logged by the Service Control Manager with event ID 36871 which states:

A fatal error occurred while creating an SSL server credential.
The internal error state is 10013.

Forefront TMG 2010 SQL Services Fail to Start After Disabling SSL 3.0

In addition you may also see an error message logged by the Service Control Manager with event ID 7024 which states:

The SQL Server (ISARS) service terminated with service-specific
error %%-2146893007.

Forefront TMG 2010 SQL Services Fail to Start After Disabling SSL 3.0

This can occur when SSL 3.0 is disabled at the same time that TLS 1.0 is also disabled. Even though TLS 1.1 and 1.2 might be enabled, TMG requires that TLS 1.0 specifically be enabled for SQL server services to function properly when SSL 3.0 is disabled.

To resolve this issue, enable TLS 1.0 Server in the registry by changing the value of Enabled to 1, as shown here. If these registry keys do not exist, create them.

Forefront TMG 2010 SQL Services Fail to Start After Disabling SSL 3.0

Restart the server for the change to take effect.

  1. Mark Haddon
    November 25, 2014 at 12:54 am

    Probably a stupid question but is this also the case if TMG is configured to log in W3C format?

  2. December 3, 2014 at 5:27 am

    I didn’t test it, but it probably does. Switching to text file logging doesn’t remove SQL. However, you’ll be less impacted by SQL services being stopped than you would be otherwise. 🙂

  3. Mark Haddon
    December 3, 2014 at 5:45 am

    Thanks Richard. I’m just trying to anticipate future calls from our Security Team to disabling TLS 1.0 🙂

  4. Andrew Welch
    September 16, 2015 at 12:18 am

    Hi Richard
    great article, thank you 🙂

    I have been informed that TLS 1.0 is no longer acceptable for compliance under PCI DSS 3.1, and we are now being asked to disable this 😦 how would this be possible without impacting TMG (and UAG for that matter)? is there a way to move the TMG logging and reporting to another SQL server?

  5. September 18, 2015 at 9:49 am

    Unfortunately TMG will not work without TLS 1.0 enabled, even if you choose another logging option. This is where TMG is really beginning to show its age. :/

  1. No trackbacks yet.
Comments are closed.