Wednesday, January 12, 2011

Fatal error led to access the private key can not start SQL Server

And certificates can not start SQL Server related problems may have many causes. Today, one of the cases described. This situation is relatively rare, but also the hidden root causes relatively deep.
                               
Symptoms of SQL Server can not start
SQL Server does not start when the time generally required to check the SQL error log and Windows event   log to make judgments on the issue. Sometimes you see in the SQL error log the following error.
2010-06-28 17:40:47.72 server Encryption requested but no valid certificate was found. SQL Server terminating.
2010-06-28 17:40:47.72 server Error: 17826, Severity: 18, State: 1
2010-06-28 17:40:47.72 server Could not set up Net-Library 'SSNETLIB' ..
2010-06-28 17:40:47.72 server Unable to load any netlibs.
2010-06-28 17:40:47.72 server SQL Server could not spawn FRunCM thread.

More critical is that you in the Windows Security log in will see the following error.

A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x80090022.

General Certificate of such problems are due to illegal, or SQL Server can not access the specified certificate made.

Cause of the problem

See the above error message, we can clearly see the direct cause of the problem is SQL Server the certificate is detected at startup, but can not access the certificate's private key. Therefore, our first reaction was to check the existence of the private key within the certificate, and whether the SQL Server startup account has full permissions to access the certificate. Check this private key access issues for most is the effect. But unfortunately, it does not solve the problem we are discussing today.
The key issue is that the error code 0x80090022. 0x80090022 means "Provider could not perform the action since the context was acquired as silent". How to understand it? You can think of is the SQL Server can not access the private key of the certificate because the silent mode can not provide the private key password.
The question then like to understand. Certificate of SQL Server when accessing the database engine is the internal access, there is no interface for the user to input something, this is called silent mode.

Read more: Microsoft Asia-Pacific database technical support group official blog (Original), (Translated)