GRT restore job fails for SharePoint Server Subscription Edition backup sets.
Article ID: 100075577
Updated On:
Description
Error Message
Job log reports below error:
0xe00003d3 - Backup Exec cannot enumerate the objects from the SharePoint database.
And spswrapper debug logs on SharePoint server reports below error:
[2e98] 09/08/25 11:49:21 Exception in Engine: ex: Microsoft.Data.SqlClient.SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)
Cause
The Restore job is failing because of the March 2025 onward updates related to SharePoint Server Subscription Edition. These updates are enforcing Encryption between SharePoint Server and SQL Server for SharePoint Server APIs even when the Encryption is not enabled on the SQL Server.
Resolution
Configure a connection certificate for the SQL Server that hosts the Content database and the SharePoint Server. This means that
- The SQL Server must be configured with a valid certificate
- The SharePoint Server must trust this certificate
Follow the steps below:
- Create a self-signed certificate on SQL Server and store in local server’s certificate store. Run below commands on SQL Server using PowerShell (Run as Administrator):
# Define parameters
$certificateParams = @{
Type = "SSLServerAuthentication"
Subject = "CN=$env:COMPUTERNAME"
DnsName = @("$($env:COMPUTERNAME)", $([System.Net.Dns]::GetHostEntry('').HostName), 'localhost')
KeyAlgorithm = "RSA"
KeyLength = 2048
HashAlgorithm = "SHA256"
TextExtension = "2.5.29.37={text}1.3.6.1.5.5.7.3.1"
NotAfter = (Get-Date).AddMonths(36)
KeySpec = "KeyExchange"
Provider = "Microsoft RSA SChannel Cryptographic Provider"
CertStoreLocation = "cert:\LocalMachine\My"
}
# Call the cmdlet
New-SelfSignedCertificate @certificateParams
- Make sure SQL Server service account has permission to certificate private key:
- On the SQL server, open SQL Server Configuration Manager (Type ‘compmgmt.msc’ in Run) and choose “SQL Server Services”.
- Check the “Log On As” column for the “SQL Server” service. It may be a domain account, or a built-in account like “NT Service\MSSQLSERVER”. That is the account that needs permission to the certificate private key.
- Open “Certificates Manager” (type “certlm.msc” in Run)
- Go to Personal | Certificates.
- Find the SQL certificate was just installed and Right-click | All Tasks | Manage Private Keys
- Add the account there that you found is running the “SQL Server” service, for example: “NT Service\MSSQLSERVER”
- Restart the SQL Server instance service
- Trust the SQL certificate on SharePoint Servers
- On SQL Server, open “SQL Server Configuration Manager”, expand “SQL Server Network Configuration”, right-click on “Protocols for MSSQLSERVER”, and choose “Properties”.
- Click on ‘Certificate” and then select the certificate created earlier from drop down, click the “View” button to view the certificate. Click the “Details” tab, then the “Copy to File” button. Use the wizard to export the certificate WITHOUT the private key to a “DER encoded binary x.509 (.CER)” file. Click ‘Apply’ to apply the selected certificate.
- click the “View” tab to view the certificate. Click the “Details” tab, then the “Copy to File” button. Use the wizard to export the certificate WITHOUT the private key to a “DER encoded binary x.509 (.CER)” file.
- Copy that .cer file to all SharePoint servers in the farm and import it to the “Trusted Root Certification Authorities” store.
- On SharePoint servers, open “Certificates Manager). Go to “Trusted Root Certification Authorities” and right click on “Certificates” -> “All Tasks” -> “Import”. Select the copied certificate file and install it.
- Run the GRT Restore now.
References
Issue/Introduction
Additional Information
