Results 1 to 3 of 3
  1. #1
    Join Date
    Dec 2009
    Location
    Nashville, TN
    Posts
    1

    Unanswered: 2008 R2 SQL startup error resolution

    Recently, we could not get our SQL Server 2008 R2 cluster to fail over to the passive node generating the following error:

    Server,Unknown,The server was unable to initialize encryption because of a problem with a security library. The security library may be missing. Verify that security.dll exists on the system.
    Server,Unknown,TDSSNIClient initialization failed with error 0x139f<c/> status code 0x80. Reason: Unable to initialize SSL support. The group or resource is not in the correct state to perform the requested operation.

    We worked through the problem with the Microsoft engineer so I thought I would post the resolution here:


    The most common cause for such an error – and its results- is actually in group policy with the SSL cipher suite order. So first, check to see if that is enabled or disabled on the node that SQL starts up fine on. I’d expect it to be disabled.

    1. At a command prompt, enter gpedit.msc. The Group Policy Object Editor appears.
    2. Expand Computer Configuration > Administrative Templates > Network, and then click SSL Configuration Settings.
    3. Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.
    4. Right click on SSL Cipher Suite Order and select edit. Check to see if it is enabled or disabled.

    If it is disabled on the node on which SQL starts up fine, disable it on the node where SQL won’t start. It does require a reboot to apply.
    =======================
    To disable the SSL Cipher Suite Order group policy setting please follow below steps
    1. At a command prompt, enter gpedit.msc. The Group Policy Object Editor appears.
    2. Expand Computer Configuration > Administrative Templates > Network, and then click SSL Configuration Settings.
    3. Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.
    4. Right click on SSL Cipher Suite Order and select edit. Then click on Disabled and click ok
    5. Reboot the server

    =======================
    If it is not disabled on the node on which SQL starts up fine, or if it is already disabled on the node on which SQL will not start, then we’ll have to start looking at more unusual causes.

    This was not our problem and had to keep looking:

    Verify that the following is the same on both nodes?

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cry ptography\Configuration\SSL\00010002\

    It should have in there some values like:

    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA

    Ours had inconsistent entries (extra comma) that had to be sychronized as follows:
    1. At a command prompt, enter gpedit.msc. The Group Policy Object Editor appears.
    2. Expand Computer Configuration > Administrative Templates > Network, and then click SSL Configuration Settings.
    3. Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.
    4. Take out the extra comma
    5. Click Apply
    6. Click OK
    7. Reboot the node
    8. Go to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cry ptography\Configuration\SSL\00010002\
    9. Check that it now does not have the extra comma

    Removing the extra comma resolved our problem.
    Last edited by cbintn; 08-26-13 at 15:27. Reason: add tag

  2. #2
    Join Date
    Feb 2004
    Location
    In front of the computer
    Posts
    15,579
    Provided Answers: 54
    Wow! That's a great (if somewhat obscure) find and also great documentation. Thanks!

    -PatP
    In theory, theory and practice are identical. In practice, theory and practice are unrelated.

  3. #3
    Join Date
    Sep 2014
    Posts
    1

    Congratulations!

    Your post save my life! It resolved my problem! Thank you to much! Congratulations!

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •