Encrypted connections to SQL Server databases

To improve security when connecting from ArcGIS Pro to Microsoft SQL Server databases, you can configure database connections in ArcGIS Pro to request encrypted connections using Transport Layer Security (TLS) encryption.

This requires that you configure the SQL Server instance to use TLS encryption. If you are not the SQL Server database administrator, check with your database administrator to confirm that the instance is configured to use TLS encryption.

Be aware that, as with most security measures, encryption makes the data you send across your network between SQL Server and your client more secure, but it also impacts performance.

Connect to a SQL Server instance secured with a TLS certificate from a certifying authority

Extra security should be in place when connecting to a production instance of SQL Server because it stores data that is critical to your business. By default, encryption of all network traffic for a connection requires that the server computer have a certificate provisioned, and the client machine must be set up to trust the certificate's root authority. You may need to contact your IT department to configure your client machines to validate the TLS certificate used on a production SQL Server machine.


If you plan to publish layers that reference data in a registered database on a secure SQL Server instance, you must configure each ArcGIS Server machine to validate the SQL Server machine's TLS certificate.

When you create a database connection file in ArcGIS Pro, either append Encrypt=yes to the instance string on the Database Connection dialog box or Create Database Connection geoprocessing tool, or set the Encrypt property to yes in the Additional Properties section of the Database Connection dialog box.

When you include more than one parameter in the instance string, separate each parameter with a semicolon (;). For example, provide the following information for the instance value for a production SQL Server instance, myserver\mysqldb, that is provisioned with a TLS certificate from a certifying authority (CA):


In the example above, the client machine validates the SQL Server TLS certificate.

Connect to a test SQL Server instance

To use encryption when a TLS certificate from a certifying authority has not been provisioned, you can include the TrustServerCertificate=yes parameter in the instance string or set the TrustServerCertificate property to yes in the Additional Properties section of the Database Connection dialog box. When you specify this parameter, the client application uses a self-signed certificate generated by SQL Server. Self-signed certificates do not guarantee security and may be vulnerable to man-in-the-middle attacks. Only use self-signed certificates and set TrustServerCertificate to yes when you connect to a development or test instance of SQL Server.

In the following example, an encrypted connection is made to a SQL Server development instance named mydevserver\mytestsql by placing the information directly in the instance string text: