Home Dashboard Directory Help
Search

Error -2147467259 "Data provider or other service returned an E_FAIL status" when running a query from a Vista client to SQL Server 2008 Express (with SSL enabled) by ForeTony


Status: 

Active


0
0
Sign in
to vote
Type: Bug
ID: 478201
Opened: 7/29/2009 7:45:45 AM
Access Restriction: Public
1
Workaround(s)
view
0
User(s) can reproduce this bug

Description

When running a query that returns an ADO recordset of a certain size I receive an error:
-2147467259 Data provider or other service returned an E_FAIL status.
This problem only happens when these conditions are all met:
•    The client is Vista
•    The client is using the SQLOLEDB provider
•    SSL (Force Encryption) is enabled on the SQL Server
•    The data returned is of a certain size (changing the query or the data in the table by one byte will cause it to succeed)
If any of these conditions is changed, the query succeeds. It seems to be related to the size of the data that is received back from SQL Server since changing one character of the query will cause it to work.
Details
Sign in to post a comment.
Posted by Microsoft on 6/22/2010 at 12:39 PM
Hi,

Thank you for reporting this problem and for the nice and simple repro scenario. We have investigated the details and found that the problem is related to a known issue which is fixed in Windows 7.

A bit of technical information on the issue - due to the specific of data being queried, the result is split into multiple TDS packets. When encryption is enabled, SChannel SSPI API adds an SSL trailer to the packets. In Vista and higher, the default cipher may add a variable-sized trailer, which WDAC netlibs were not able to handle properly when estimating the size of data to be received. This causes an additional receive request until the timeout expires.

Please let me know if you have any questions. This item has been resolved.
Thank you,
Jivko Dobrev - MSFT
--------------------------------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
Posted by Microsoft on 6/22/2010 at 12:39 PM
Hi,

Thank you for reporting this problem and for the nice and simple repro scenario. We have investigated the details and found that the problem is related to a known issue which is fixed in Windows 7. As you have mentioned, for prior versions of Windows, a simple workaround exists - use SQL Server Native Client instead of WDAC. I hope this workaround is acceptable for your environment.

A bit of technical information on the issue - due to the specific of data being queried, the result is split into multiple TDS packets. When encryption is enabled, SChannel SSPI API adds an SSL trailer to the packets. In Vista and higher, the default cipher may add a variable-sized trailer, which WDAC netlibs were not able to handle properly when estimating the size of data to be received. This causes an additional receive request until the timeout expires.

Please let me know if you have any questions. This item has been resolved.
Thank you,
Jivko Dobrev - MSFT
--------------------------------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
Posted by Microsoft on 6/22/2010 at 12:38 PM
Hi,

Thank you for reporting this problem and for the nice and simple repro scenario. We have investigated the details and found that the problem is related to a known issue which is fixed in Windows 7. As you have mentioned, for prior versions of Windows, a simple workaround exists - use SQL Server Native Client instead of WDAC. I hope this workaround is acceptable for your environment.

A bit of technical information on the issue - due to the specific of data being queried, the result is split into multiple TDS packets. When encryption is enabled, SChannel SSPI API adds an SSL trailer to the packets. In Vista and higher, the default cipher may add a variable-sized trailer, which WDAC netlibs were not able to handle properly when estimating the size of data to be received. This causes an additional receive request until the timeout expires.

Please let me know if you have any questions. This item has been resolved.
Thank you,
Jivko Dobrev - MSFT
--------------------------------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
Posted by Microsoft on 6/22/2010 at 12:38 PM
Hi,

Thank you for reporting this problem and for the nice and simple repro scenario. We have investigated the details and found that the problem is related to a known issue which is fixed in Windows 7. As you have mentioned, for prior versions of Windows, a simple workaround exists - use SQL Server Native Client instead of WDAC. I hope this workaround is acceptable for your environment.

A bit of technical information on the issue - due to the specific of data being queried, the result is split into multiple TDS packets. When encryption is enabled, SChannel SSPI API adds an SSL trailer to the packets. In Vista and higher, the default cipher may add a variable-sized trailer, which WDAC netlibs were not able to handle properly when estimating the size of data to be received. This causes an additional receive request until the timeout expires.

Please let me know if you have any questions. This item has been resolved.
Thank you,
Jivko Dobrev - MSFT
--------------------------------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
Posted by Microsoft on 7/30/2009 at 10:53 AM
Thank-you for your feedback regarding this issue you are encountering. We are currently investigating this issue. Once we have a better understand of the problem, we will post an update.

Regards,
Microsoft SQL Server
Sign in to post a workaround.
Posted by ForeTony on 8/13/2009 at 9:07 AM
Since the problem happens when both server and client are Vista, I found some information on the differences between XP and Vista in regards to SSL. I compared the Cipher Suites used, which are outlined in these two links:

Cipher Suites in XP
http://msdn.microsoft.com/en-us/library/aa380512(VS.85).aspx

Cipher Suites in Vista
http://msdn.microsoft.com/en-us/library/aa374757(VS.85).aspx

By removing these two cipher suites via group policy, the problem went away.
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA

The group policy setting is located here: Computer Configuration | Administrative Templates | Network | SSL Configuration Settings | SSL Cipher Suite Order

This should narrow down the problem. We will use this as a workaround for now, but hopefully this will be fixed in a future service pack.
We see the problem in Windows 7 as well.
File Name Submitted By Submitted On File Size  
SSL Problem.zip (restricted) 7/29/2009 -