In reference to a previous blog from Il-Sung Lee called "How to enable channel encryption" (https://blogs.msdn.com/sql_protocols/archive/2005/10/04/476705.aspx), I have one more comment to add. There is a special case with a client forcing encryption when the SQL service is running as Network Service or as a non local-administrator account. Because the service account does not have sufficient access priviledges to read in the Windows certificate store, SQL server will automatically fallback to a self-generated certificate. This self-generated certificate is not appropiate for server authentication because it cannot be validated by a certificate authority. The result is that when the client is forcing encryption, the server cannot be authenticated by the client and the connection will fail. The problem can be worked around by granting read rights to the Network Service account on the cerificate store. The details on how to do this are explained in this article: http://support.microsoft.com/?kbid=900495.
Humberto Acevedo, SQL Server Protocols Test
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights