The PVS servers are configured to use Always On availability group with MultiSubnetFailover enabled.

The Fully Qualified Domain Name of the SQL listener had been specified in PVS Configuration Wizard and Certificates had been configured on each SQL node.

When ForceEncryption option was then enabled on the SQL nodes in the availability group, the PVS servers could no longer connect to the PVS database.
Application event was generated:

• Event ID 268
• Source: StreamProcess
• Message: Cannot establish a connection to the database because the server cannot be found. Please check your database connection settings in the registry and the network path to your server.

"Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items."

The certificates configured on the SQL nodes were created with SAN entries (Subject Alternative Name) which did not meet requirements:

CN = Server.FQDN
SAN = Server_NetBIOS, Listener1_NetBIOS, Listener2_NetBIOS

Microsoft documentation details the requirement that in all scenarios FQDNs (Fully Qualified Domain Names) should be configured:

When connecting to an availability group listener, if the participating instances of SQL Server use TLS/SSL certificates in conjunction with session encryption, the connecting client driver needs to support the Subject Alternate Name in the TLS/SSL certificate in order to force encryption.

An X.509 certificate must be configured for each participating server node in the failover cluster with a list of all availability group listeners set in the Subject Alternate Name of the certificate.

The format for the certificate values is:

CN = Server.FQDN
SAN = Server.FQDN, Listener1.FQDN, Listener2.FQDN

Even in the example where NetBIOS is required in the customer environment, Microsoft documents the requirement to have the FQDNs included also in the SAN entries.

New certificates were created, meeting the requirements set out in Microsoft documentation for connecting to Always on Availability Groups with MultiSubnetFailover.

Specifically each certificate applied to each SQL node was configured with:

CN = Server.FQDN
SAN = Server.FQDN, Listener1.FQDN, Listener2.FQDN

PVS servers fail to connect to the PVS database after enabling SQL server option ForceEncryption