The PostgreSQL driver could not open a connection because the remote SQL Server rejected it, usually due to TLS, authentication, or firewall rules.
sqlserver_rejected_establishment_of_sqlconnection occurs when PostgreSQL’s TDS/FDW driver reaches SQL Server but the server immediately rejects the handshake. Check TLS version, SQL authentication, firewall rules, and max concurrent logins on the SQL Server to restore connectivity.
sqlserver_rejected_establishment_of_sqlconnection
The error originates from PostgreSQL extensions such as tds_fdw or postgres_fdw talking to SQL Server via the Tabular Data Stream protocol. SQL Server receives the request but refuses to create a session, returning condition 08004.
The refusal generally means network reachability is fine, yet something in the handshake - credentials, encryption, or resource limits - violates SQL Server policy.
Immediate remediation is essential because nothing can query the target server until the rejection is cleared.
SQL Server rejects logins when the supplied username or password is invalid or when the login is disabled. PostgreSQL then surfaces 08004.
Encryption mismatch is common.
Newer SQL Servers require TLS 1.2, but older PostgreSQL FDW builds still start with TLS 1.0, triggering an instant refusal.
Firewall or network ACLs can accept the TCP three-way handshake yet issue a RST on TDS negotiation, appearing as a server-side rejection.
Max concurrent sessions on the SQL Server instance or specific login may be capped, causing additional connections to be refused.
First confirm basic reachability with telnet or psql.
If the port responds, move on to authentication and encryption.
Update the tds_fdw/FreeTDS library to version 1.3 or later to negotiate TLS 1.2 automatically.
Reset or re-enable the SQL Server login and verify password correctness. Use SQL Server Management Studio (SSMS) to test interactive login.
If connection limits cause the error, raise MAX_LOGINS or kill orphaned sessions.
Cloud migration - Azure SQL by default enforces TLS 1.2.
Upgrading FreeTDS and setting "encrypt=require" resolves the rejection.
Failed password rotations - CI/CD pipelines keep old secrets. Rotating secrets in Vault and restarting the application clears 08004.
Office network firewall - A deep packet inspection device blocks TDS pre-login packets.
Adding an allow rule for port 1433 fixes it.
Automate certificate and password rotation and store them in a secret manager so that all services fetch fresh credentials at start-up.
Monitor SQL Server error log for event 17806 (SSPI handshake failed) and alert DevOps before PostgreSQL clients hit 08004.
Use Galaxy collections to centralize connection strings.
When credentials change, updating the endorsed query updates every downstream consumer instantly.
08001 sqlserver_connection_does_not_exist - indicates network failure before handshake, fixed by checking host/port.
28000 invalid_authorization_specification - credentials wrong in PostgreSQL, fixed by altering user mapping.
57P01 admin_shutdown - server terminated active sessions, often during maintenance; retry after downtime window.
.
The rejection originates from SQL Server. PostgreSQL only reports the 08004 condition.
Upgrading solves TLS mismatches but not authentication or firewall issues. Diagnose the root cause first.
Disabling encryption may work on dev boxes but violates security policy in production; always match the server’s TLS requirements instead.
Galaxy centralizes connection profiles and flags failed runs, so teams spot 08004 errors quickly and update credentials in one place.
.avif)
.avif){kind=logo}
