Encrypted connections to SQL Server databases

To improve security when connecting from ArcGIS Pro to Microsoft SQL Server databases, you can configure database connections in ArcGIS Pro to request encrypted connections using Transport Layer Security (TLS) encryption.

This requires that you configure the SQL Server instance to use TLS encryption. If you are not the SQL Server database administrator, check with your database administrator to confirm that the instance is configured to use TLS encryption.

Be aware that, as with most security measures, encryption makes the data you send across your network between SQL Server and your client more secure, but it also impacts performance.

Connect to a SQL Server instance secured with a TLS certificate from a certifying authority

Extra security should be in place when connecting to a production instance of SQL Server because it stores data that is critical to your business. By default, encryption of all network traffic for a connection requires that the server computer have a certificate provisioned, and the client machine must be set up to trust the certificate's root authority. You may need to contact your IT department to configure your client machines to validate the TLS certificate used on a production SQL Server machine.


If you plan to publish layers that reference data in a registered database on a secure SQL Server instance, you must configure each ArcGIS Server machine to validate the SQL Server machine's TLS certificate.

When you create a database connection file in ArcGIS Pro, append Encrypt=yes to the instance string in the Database Connection dialog box or Create Database Connection geoprocessing tool.

When you include more than one parameter in the instance string, separate each parameter with a semicolon (;). For example, provide the following information for the instance value for a production SQL Server instance, myserver\mysqldb, that is provisioned with a TLS certificate from a certifying authority (CA): myserver\mysqldb;Encrypt=yes.

In this example, the client machine validates the SQL Server TLS certificate.

Connect to a test SQL Server instance

To use encryption even when a TLS certificate from a certifying authority has not been provisioned, you can include the TrustServerCertificate=yes parameter in the instance string. When you specify this parameter, the client application uses a self-signed certificate generated by SQL Server. Self-signed certificates do not guarantee security and may be vulnerable to man-in-the-middle attacks. Only use self-signed certificates and the TrustServerCertificate=yes parameter when you connect to a development or test instance of SQL Server.

In the following example, an encrypted connection is made to a SQL Server development instance named mydevserver\mytestsql: mydevserver\mytestsql;Encrypt=yes;TrustServerCertificate=yes.