SQL SERVER – Errorlog The Server was Unable to Initialize Encryption Because of a Problem with a Security Library

One of my client was trying to start SQL Service and it was failing. I asked to hare ERRORLOG so that we will get some idea about the cause. Here is the information from ERRORLOG file.

2017-01-31 01:32:25.61 Server The server was unable to initialize encryption because of a problem with a security library. The security library may be missing. Verify that security.dll exists on the system.
2017-01-31 01:32:25.61 spid7s Server name is ‘BIGDBSERVER’. This is an informational message only. No user action is required.
2017-01-31 01:32:25.61 Server Error: 17182, Severity: 16, State: 1.
2017-01-31 01:32:25.61 Server TDSSNIClient initialization failed with error 0x139f, status code 0x80. Reason: Unable to initialize SSL support. The group or resource is not in the correct state to perform the requested operation.
2017-01-31 01:32:25.62 Server Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.
2017-01-31 01:32:25.62 Server Error: 17120, Severity: 16, State: 1.
2017-01-31 01:32:25.62 Server SQL Server could not spawn FRunCM thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.

I checked version of SQL Server in ERRORLOG and it was as below.

Microsoft SQL Server 2008 (SP4-OD) (KB3144113) – 10.0.6547.0 (X64)
Feb 22 2016 19:04:50
Copyright (c) 1988-2008 Microsoft Corporation
Enterprise Edition (64-bit) on Windows NT 6.1 (Build 7601: Service Pack 1) (VM)

When I searched for build 10.0.6547, I found below KB. https://support.microsoft.com/en-in/help/3135244/tls-1.2-support-for-microsoft-sql-server

That was a good hint and I checked TLS and SSL registry keys.

WORKAROUND/SOLUTION

I checked below key based on the article

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

There were no keys for TLS and it means that TLS was not enabled in the server. Either TLS1.0 or SSL3.0 needs to be enabled to start SQL services.

Windows Registry Editor Version 5.00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] “Enabled”=dword:ffffffff
“DisabledByDefault”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] “Enabled”=dword:ffffffff
“DisabledByDefault”=dword:00000000

Once we created the keys, we could start SQL Services.

Have you encountered such issues of SQL startup due to TLS? What was the solution you found? Please share by comment to help others.

Reference: Pinal Dave (http://blog.SQLAuthority.com)