What causes DF-MSSQL-InvalidCertificate?

The SQL Server uses a self-signed certificate not issued by a trusted CA. The SSL certificate on the SQL Server has expired. The certificate's Common Name (CN) or Subject Alternative Name (SAN) doesn't match the server FQDN in the linked service. The linked service has 'Encrypt connection' enabled but 'Trust server certificate' is disabled — and the cert can't be validated

How do I fix DF-MSSQL-InvalidCertificate?

In ADF Studio, open the SQL linked service and check the 'Encrypt' and 'Trust server certificate' settings in the 'Advanced' section.. For development or internal SQL servers with self-signed certificates, enable 'Trust server certificate' in the linked service to bypass certificate validation.. For production servers, install a valid certificate from a trusted CA on the SQL Server (the cert CN must match the server FQDN used in the linked service).. Verify the certificate has not expired by checking the SQL Server certificate in Windows Certificate Manager on the server host.. After updating the certificate or linked service settings, click 'Test connection' to confirm the TLS handshake succeeds.

Medium severitydata source

Power BI Refresh Error:
DF-MSSQL-InvalidCertificate

What does this error mean?

The SSL/TLS certificate presented by the SQL Server is not trusted by ADF — either because the server uses a self-signed certificate, the certificate is expired, or the certificate's CN/SAN doesn't match the server hostname. ADF Mapping Data Flow connections use TLS encryption and validate the server certificate by default.

Common causes

1The SQL Server uses a self-signed certificate not issued by a trusted CA
2The SSL certificate on the SQL Server has expired
3The certificate's Common Name (CN) or Subject Alternative Name (SAN) doesn't match the server FQDN in the linked service
4The linked service has 'Encrypt connection' enabled but 'Trust server certificate' is disabled — and the cert can't be validated

How to fix it

1In ADF Studio, open the SQL linked service and check the 'Encrypt' and 'Trust server certificate' settings in the 'Advanced' section.
2For development or internal SQL servers with self-signed certificates, enable 'Trust server certificate' in the linked service to bypass certificate validation.
3For production servers, install a valid certificate from a trusted CA on the SQL Server (the cert CN must match the server FQDN used in the linked service).
4Verify the certificate has not expired by checking the SQL Server certificate in Windows Certificate Manager on the server host.
5After updating the certificate or linked service settings, click 'Test connection' to confirm the TLS handshake succeeds.

Frequently asked questions

Does this error affect all pipeline runs or just the current one?

Depends on the root cause. A persistent misconfiguration fails every run; a transient issue may resolve on retry. Check the run history.

Can this error appear in Azure Data Factory and Microsoft Fabric pipelines?

Yes — the same connector errors appear in both ADF and Fabric Data Factory pipelines.

How do I see the full error detail for an ADF pipeline failure?

In ADF Monitor, click the failed run, then the failed activity. The detail pane shows the error code, message, and sub-error codes.

Will downstream Power BI datasets be affected when an ADF pipeline fails?

Yes — a dataset refreshing after the pipeline will use stale data or fail if the target table was cleared. The Power BI refresh may succeed while serving wrong data.

Official documentation: https://learn.microsoft.com/en-us/azure/data-factory/data-flow-troubleshoot-guide