One of my client was trying to start SQL Service and it was failing. I asked to hare ERRORLOG so that we will get some idea about the cause. Here is the information from ERRORLOG file.
2017-01-31 01:32:25.61 Server The server was unable to initialize encryption because of a problem with a security library. The security library may be missing. Verify that security.dll exists on the system.
2017-01-31 01:32:25.61 spid7s Server name is ‘BIGDBSERVER’. This is an informational message only. No user action is required.
2017-01-31 01:32:25.61 Server Error: 17182, Severity: 16, State: 1.
2017-01-31 01:32:25.61 Server TDSSNIClient initialization failed with error 0x139f, status code 0x80. Reason: Unable to initialize SSL support. The group or resource is not in the correct state to perform the requested operation.
2017-01-31 01:32:25.62 Server Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.
2017-01-31 01:32:25.62 Server Error: 17120, Severity: 16, State: 1.
2017-01-31 01:32:25.62 Server SQL Server could not spawn FRunCM thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.
I checked version of SQL Server in ERRORLOG and it was as below.
Microsoft SQL Server 2008 (SP4-OD) (KB3144113) – 10.0.6547.0 (X64)
Feb 22 2016 19:04:50
Copyright (c) 1988-2008 Microsoft Corporation
Enterprise Edition (64-bit) on Windows NT 6.1 (Build 7601: Service Pack 1) (VM)
When I searched for build 10.0.6547, I found below KB. https://support.microsoft.com/en-in/help/3135244/tls-1.2-support-for-microsoft-sql-server
That was a good hint and I checked TLS and SSL registry keys.
WORKAROUND/SOLUTION
I checked below key based on the article
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
There were no keys for TLS and it means that TLS was not enabled in the server. Either TLS1.0 or SSL3.0 needs to be enabled to start SQL services.
Windows Registry Editor Version 5.00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
“Enabled”=dword:ffffffff
“DisabledByDefault”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
“Enabled”=dword:ffffffff
“DisabledByDefault”=dword:00000000
Once we created the keys, we could start SQL Services.
Have you encountered such issues of SQL startup due to TLS? What was the solution you found? Please share by comment to help others.
Reference: Pinal Dave (http://blog.SQLAuthority.com)
14 Comments. Leave new
Yes. I got this TLS issue and I applied a patch which resolved my issue. Windows team were disabled the older TLS without our information and due to that service was not starting.
Reference
https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server
Perfect. Thanks for sharing.
I had a same issue and i updated Sql server 2012 to SP2 and it works fine on TLS1.1 and TLS1.2
I have same issue after enable TLS 1.2 & SSL 2.0 and disabled TLS 1.0, TLS 1.1 & SSL 3.0.
I have downloaded an update to enable TLS 1.2 support for SQL Server 2008 R2 SP3.
Please find more information from below link:
https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server
Mine was on a SQL 2012 install. Our server teams now provision new servers with only TLS 1.2 turned on. SQL 2012 RTM doesn’t support 1.2. The DB engine service install apparently worked but it couldn’t be started until I made the necessary registry change to support TLS 1.0. Now the service started but I couldn’t login. The SQL erorrlog was complaining about SPNs. So I uninstalled/reinstalled the DB engine and that finally worked.
Of course now I’ll have to apply the SQL patches and disallow TLS 1.0 connections or get flagged by a security audit!
Thanks for the solution, it really help fix the issues that a particular OEM is still struggling to resolve after 3 days
worked…
Thank you. Solution worked. But the solution reverted the changes I had to make to get a A+ ranking for SSL.
Thanks a lot. it worked well
Thanks a lot Pinal. You saved my life.
Thanks a lot, It worked for me.
Perfect. It worked for me. Thank you for sharing!
Thx a lot. Worked fine for me and now we are an the run to update our SQL-Server Version :)
Thank you very much! it worked well!