Help get this topic noticed by sharing it on Twitter, Facebook, or email.

Error Connectiong to Production Only - Cannot obtain the schema rowset "DBSCHEMA_TABLES_INFO" for OLE DB provider "DBAmp.DBAmp"

Hi - I get the following error when connecting to production SalesForce:

OLE DB provider "DBAmp.DBAmp" for linked server "dreyfus_salesforce" returned message "Error 5103 : FAHttp::Send::WinHttpSendRequest
Win32Error::
The operation timed out
".
Msg 7311, Level 16, State 2, Line 1
Cannot obtain the schema rowset "DBSCHEMA_TABLES_INFO" for OLE DB provider "DBAmp.DBAmp" for linked server "dreyfus_salesforce". The provider supports the interface, but returns a failure code when it is used.

1. When I test the connection from the DBAmp configuration it succeeds
2. When I test the connection from the actual linked server I created it succeeds
3. I can get to salesforce.com via browser on the server
4. The 3 options I have to check off for the DBAmp OLE Provider are checked
5. I am able to get to and select against data with the linked server when attaching to a sandbox
6. When I log in to salesforce with the DBAmp account I can get in - the user and profile its under seem to be fine.

Not sure what other path to go down at this point.
3 people have
this problem
+1
Reply
  • 1. Does the error occur for ALL Select statements against the linked server ?

    For example does this query fail: Select id from dreyfus_salesforce...[user]

    2. What version of DBAmp are you running ?
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly happy, confident, thankful, excited sad, anxious, confused, frustrated indifferent, undecided, unconcerned

  • Hi -

    Occurs for any select statement it seems

    Version of DBAmp is 2.18.9
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly happy, confident, thankful, excited sad, anxious, confused, frustrated indifferent, undecided, unconcerned

  • Is this a new linked server or one that was functional but stop working ?
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. sad, anxious, confused, frustrated kidding, amused, unsure, silly happy, confident, thankful, excited indifferent, undecided, unconcerned

  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly happy, confident, thankful, excited sad, anxious, confused, frustrated indifferent, undecided, unconcerned

  • So to confirm by the word "switching" you mean that you deleted the sandbox linked server and created a new linked server with the same name that connects to production.

    If that is correct then we need to do a web meeting to take a look at your configuration.

    Please email support at forceamp.com with some times/timezone that would work today.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly happy, confident, thankful, excited sad, anxious, confused, frustrated indifferent, undecided, unconcerned

  • OK - I just emailed my availability over to that email address - anytime after 11am EST is fine. Thanks
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly happy, confident, thankful, excited sad, anxious, confused, frustrated indifferent, undecided, unconcerned

  • We're having the same error on one of our servers. Both servers are connect to our prod environment using the same credentials. One is getting the error, the other is working without issue. No changes were made to the server currently experiencing the error. What was the solution?
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. sad, anxious, confused, frustrated kidding, amused, unsure, silly happy, confident, thankful, excited indifferent, undecided, unconcerned

  • Does a simple query like the one below work on that server:

    Select I'd from salesforce...[user]
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. sad, anxious, confused, frustrated kidding, amused, unsure, silly happy, confident, thankful, excited indifferent, undecided, unconcerned

  • Hi, I'm having the same issue.

    This weekend, our production's linked server connection to Salesforce began malfunctioning, even though we have not changed our credentials in the connection settings. We verified that our username and password credentials are correct. We also had someone verify that the DBAmp configuration's connection test functioned correctly; it did.
    After that, a query was ran against the linked SALESFORCE server, specifically:

    SELECT * FROM SALESFORCE...sys_sfobjects

    This query returns an error:

    OLE DB Provider "DBAmp.DBAmp" for linked server "SALESFORCE" returned message "Error 5103: FAHttpWin32Error:: A connection with the server could not be established".
    Msg 7311, Level 16, State 2, Line 1
    Cannot obtain the schema rowset "DBSCHEMA_TABLES_INFO" for OLE DB provider "DBAmp.DBAmp" for linked server "SALESFORCE". The provider supports the interface, but returns a failure code when it is used.

    Very similar errors (Always code 5103) have been returned by our regular job executions this weekend. We have people looking into the possibility that it could be proxy or firewall related. Could you please provide some further guidance as to what could be causing this issue, since it's tough to see a change on our end?
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly happy, confident, thankful, excited sad, anxious, confused, frustrated indifferent, undecided, unconcerned

  • More then likely you are being impacted by salesforce changing the SSL certificates.

    See this support article for details: http://gsfn.us/t/4r6q6

    In the salesforce link, there is reference to a Test page that can be used to test SHA 256 compatibility. Perform this test by opening the Internet Explorer on the SQL machine itself and clicking on the Test page link.

    If the "SHA 256 test Passed" does not appear or if IE complains about certificate errors, then your server does not have the proper SSL certificates installed. Follow the instructions in the salesforce link.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly happy, confident, thankful, excited sad, anxious, confused, frustrated indifferent, undecided, unconcerned

  • Thanks for the prompt response, Bill.
    Yes, that certainly looks like that would be the issue, wouldn't it? The timing coincides pretty much exactly from their production instance schedule for shifting the encryption over.

    I have notified my colleagues, but as you might imagine given that it's a Sunday night, we'll have to wait until tomorrow to confirm these instructions will resolve our issue.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly happy, confident, thankful, excited sad, anxious, confused, frustrated indifferent, undecided, unconcerned

  • OK, after some testing and research it seems like our systems should be adequately prepared for SHA-256. In fact, it is surprising to many of us that this switch has caused us any issues. Our company deals with large financial transactions and therefore our standard encryption is SHA-256; our machines are configured for it. We have tested with all of our non-prod SQL environments, and they all pass the SHA-256 compatibility test.

    Our DBAs performed these steps:
    1) We need to have Prod DBA who handles DB Amp configurations.
    2) In the DB Amp Configuration, we need to change the hostname from login.salesforce.com to sha2test.salesforce.com and save the changes.
    3) Then we need to connect to Prod/Reporting instance and do the following query “Select Id from salesforce...[user]”
    4) If we see an error message that resembles the following: "INVALID_LOGIN: Invalid username, password, security token; or user locked out." or “Content is not allowed in prolog.”, then this test passed and our integration can validate certificates with the SHA-256 hash algorithm.

    The error message received was not exactly similar to what was described:
    Cannot initialize the data source object of OLE DB provider "DBAmp.DBAmp" for linked server "salesforce".

    Bill, could you please advise on whether or not this error indicates that there was no issue on the TLS based on the content of this error? Or are we having issues with SHA-256 compatiblity?
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly happy, confident, thankful, excited sad, anxious, confused, frustrated indifferent, undecided, unconcerned

  • "2) In the DB Amp Configuration, we need to change the hostname from login.salesforce.com to sha2test.salesforce.com and save the changes. "

    Please reverse this immediately. The sha2test.salesforce.com should be used ONLY in a browser.

    When you run the Internet Explorer on the server and navigate to sha2test.salesforce.com , do you see certificate errors ?
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. sad, anxious, confused, frustrated kidding, amused, unsure, silly happy, confident, thankful, excited indifferent, undecided, unconcerned

  • We were just using that hostname in the linked server config to attempt a test.

    I just got an email with a screenshot of the compatibility test page being opened on our prod server, via Internet Explorer. It shows "This page can't be displayed." So I suppose it is a SHA-256 compatibility issue.

    Update: It seems like it is some kind of firewall issue on our end.
    However, there is something else that one of our systems engineers needs to know:

    Does DBamp sign the proc execution with the cert? Or, does DBamp sign the SOAP call with the cert somewhere along the way?

    He wishes to know if the cert has to be configured or imported elsewhere.
    Strangely, he found that https://login.salesforce.com/services... is still using the generation 3 (G3) Verisign cert:
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. sad, anxious, confused, frustrated kidding, amused, unsure, silly happy, confident, thankful, excited indifferent, undecided, unconcerned

  • Ask your network engineer to download the G5 certificate found in the salesforce help document and import that as a root certificate on that machine.

    This is not an issue of DBAmp signing. This is DBAmp trying to read a SSL response from salesforce and not having the proper root certificate to authenticate the message.

    You can reach me at support at forceamp.com if you have detailed questions.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. sad, anxious, confused, frustrated kidding, amused, unsure, silly happy, confident, thankful, excited indifferent, undecided, unconcerned

  • Bill, unfortunately we have already done that. We have imported the Verisign G5 cert as a root certificate on our production SQL server.

    Our NE seems to strongly think it is tied to our IP address whitelist. The original change on our server for installing DBAmp added several IPs to our whitelist and he believes that the IP for our production instance needs to be added as well, since it is not on there now... for some reason.

    Did the IP of the production instances change when they changed the certificates? They seem to have, since our NE managed to dig up new IP addresses to be whitelisted from SF help docs. I apologize for asking this question (and indeed a good portion of what I have asked previously) since it could be more suitably answered by SF support.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly happy, confident, thankful, excited sad, anxious, confused, frustrated indifferent, undecided, unconcerned

  • If you send me an email to support at forceamp.com I will be happy to join a web meeting to help you diagnose.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly happy, confident, thankful, excited sad, anxious, confused, frustrated indifferent, undecided, unconcerned

  • Unfortunately, I am only a junior developer in this company, and it is a very large company. I am afraid that a web meeting with me would only serve to waste both your and my time. Everything you see in this thread is just about everything I know about the issue.

    Our NE has created a change ticket for the IP addresses he found to be whitelisted -- there is a definite discretion there, since our whitelist does not match that on the Salesforce help docs. If this does not work out for us, I can get my superior to contact you and he would be in a better position to help diagnose.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly happy, confident, thankful, excited sad, anxious, confused, frustrated indifferent, undecided, unconcerned

  • Until you can get the SHA 256 test page to display without error in Internet Explorer on that server, all the other stuff you are doing (whitelists, etc.) is a waste of time.

    Focus on getting the certificates right to make that page display without error.

    For further debugging, I will have to insist on a web meeting.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly happy, confident, thankful, excited sad, anxious, confused, frustrated indifferent, undecided, unconcerned