We ran into a problem a few days ago while turning on encryption for SQL for a SQL cluster.
After turning on encryption for the server we had to restart the SQL service for the database engine. And it failed to start with some strange message. A reboot failed to help.
SO we started to figure out what was going on, because this is a standard procedure and can not be difficult.
We were getting several events in the application event log:
26014 : Unable to load user-specified certificate [Cert Hash(sha1) “xxxxxxxxxxxxxxxxxxxxxxxxx”]. The server will not accept a connection. You should verify that the certificate is correctly installed. See “Configuring Certificate for Use by SSL” in Books Online.
17182 : TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support. Cannot find object or property.
17182 : TDSSNIClient initialization failed with error 0x80092004, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors. Cannot find object or property.
17826 : Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.
17120 : SQL Server could not spawn FRunCommunicationsManager thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.
and in the System event log we saw the following, which pointed to the problem
7024 : The SQL Server (MSSQLSERVER) service terminated with the following service-specific error:
Cannot find object or property.
36870 : A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.
So this points to the SQL service not being able to find or read the certificate it is supposed to use. The initial messages seemed to point to a faulty certificate, but we checked it and it was OK. signed by trusted CA, valid, enough bits and so on.
After some searching online I found this post by somebody having something similar:
https://blogs.msdn.microsoft.com/john_daskalakis/2014/10/15/the-server-could-not-load-the-certificate-it-needs-to-initiate-an-ssl-connection-it-returned-the-following-error-0x8009030d-check-certificates-to-make-sure-they-are-valid/
In his case he checked what service account SQL was running under. Next first tried to add to Local Admins group. Which solved it. And next narrowed it down to the following 2 folders and 1 registry key and put Full Control access on them:
C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters
When I was trying this I narrowed it down a bit more in our case to Modify rights on the “C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys” folder for the service account running SQL database engine. When applying rights to that folder it already started complaining about the objects in the folder and trying to set rights there. Just continued.
After that the SQL service started again. Remember to turn on the SQL agent service as well after this.
Happy this was fixed!
Happy SQL-ing!
Bob Cornelissen