Extended Protection and SSL Encryption

Within two environments, where database servers with SQL Server 2008 R2 and SQL server 2012 are operated, the Extended Protection and SSL Encryption settings have been enabled. Since then, the applications (SharePoint 2010, SharePoint 2013 und ADFS) are having problems connecting to the databases. Following error message is logged in the SQL Server error logs: “SSPI handshake failed with error code 0x80090346, state 46 while establishing a connection with integrated security; the connection has been closed. Reason: The Channel Bindings from this client are missing or do not match the established Transport Layer Security (TLS) Channel. The service might be under attack, or the data provider or client operating system might need to be upgraded to support Extended Protection. Closing the connection.”. On the client-side, following error message is logged: “Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.” Basically, when both settings are enabled, the remote connection, even through SQL Server Management Studio, does not work anymore. This issue can be resolved by disabling one of the two settings.

If "disabling one of the two settings" still results in the connection between the two servers being encrypted, then your objective might have been achieved sufficiently by using only the other.