The Force protocol encryption option has been checked in the Server Network Utility for this SQL Server instance. This forces communication between all clients and this SQL Server instance to be encrypted through certificates. Therefore, if a certificate is not installed on the computer that is running SQL Server, or if SQL Server cannot validate that the certificate is appropriate for use with SSL-based encryption, SQL Server fails to start.
For a nonclustered instance of SQL Server, you can choose to turn off the Force protocol encryption option. This option is available in the Server Network Utility as a check box. Turning this option off means that connections will no longer be encrypted. However, turning this option off is not possible for a clustered instance of SQL Server because once you have enabled server-side protocol encryption, you cannot turn it off.
If you choose to use the Force protocol encryption option, you must ensure that the SQL Server instance has an available, properly configured certificate.
By default, SQL Server will look for a certificate issued to the fully qualified domain name of the server or virtual server on which the instance is installed. On a cluster, the certificate must exist on all nodes of the cluster. The registry key HKLM\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\SuperSocketNetLib (or the equivalent for a named instance) can be used to point to a certificate with a different name. The name of the key should be "Certificate" and it must be of type REG_BINARY. The setcert.exe utiltiy from the SQL Server 2000 Resource Kit can be used to set this value.
The certificate must exist in the Certificates\Current User Personal Certificates folder or the Certificates\Local Computer Personal Certificates folder. The SQL Server service account must have permission to access the certificate.
Verify that the certificate was originally issued for "server authentication" as this is the only type of certificate that SQL Server can use. To verify that the certificate is used for server authentication, use the Microsoft Management Console (MMC) Certificate snap-in. Double-click the certificate name, and then select Details. Click the Enhanced Key Usage property, and then verify that the value is: Server Authentication(1.3.6.1.5.5.7.3.1). There must also be a valid private key listed in the certificate properties.
Check the event logs for messages that indicate the certificate has expired or is otherwise unusable or inaccessible.
Verify that the account used to start the SQL Server service has access to the Certificate server so that it can validate the certificate.
Verify that the server date and time are set correctly to avoid problems with certificates that appear to be expired.
For more information about the Force protocol encryption option on a clustered instance, see Microsoft Knowledge Base article 319349.
For more information about how SQL Server uses a certificate when the Force protocol encryption option is on, see Microsoft Knowledge Base article 318605.
| Target | Microsoft.SQLServer.2000.DBEngine | ||
| Category | EventCollection | ||
| Enabled | True | ||
| Event Source | $Target/Property[Type="SQL!Microsoft.SQLServer.DBEngine"]/ServiceName$ | ||
| Alert Generate | True | ||
| Alert Severity | Warning | ||
| Alert Priority | Normal | ||
| Remotable | True | ||
| Alert Message |
| ||
| Event Log | Application | ||
| Comment | Mom2005ID='{8B95F207-9E4D-4F29-A579-FEC28DAC26EF}' |
| ID | Module Type | TypeId | RunAs |
|---|---|---|---|
| EventDS | DataSource | Microsoft.Windows.EventProvider | Default |
| GenerateAlert | WriteAction | System.Health.GenerateAlert | Default |
Home<Rule ID="Microsoft.SQLServer.2000.Encryption_requested_but_no_valid_certificate_was_found__SQL_Server_terminating" Target="SQL2000Core!Microsoft.SQLServer.2000.DBEngine" Enabled="true" Comment="Mom2005ID='{8B95F207-9E4D-4F29-A579-FEC28DAC26EF}'" Remotable="true">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="EventDS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>$Target/Property[Type="SQL!Microsoft.SQLServer.DBEngine"]/ServiceName$</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>MatchesMOM2005RegularExpression</Operator>
<Pattern>^(17052|17055)$</Pattern>
</RegExExpression>
</Expression>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery>EventDescription</XPathQuery>
</ValueExpression>
<Operator>MatchesMOM2005BooleanRegularExpression</Operator>
<Pattern>(^.*19015 and (not ^.*\n.*19015)) or (^.*19015.*\n.*19015)</Pattern>
</RegExExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>1</Severity>
<AlertOwner>$Data/PublisherName$</AlertOwner>
<AlertMessageId>$MPElement[Name="Microsoft.SQLServer.2000.Encryption_requested_but_no_valid_certificate_was_found__SQL_Server_terminating.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue/>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>