SYMPTOMS
If the Certificate Server is installed on a Microsoft
Windows 2000 computer and the Certificate Authority (CA) name is the same as or
starts with the machine host name, an attempt to connect to SQL Server 2000
fails.
The following error message appears when you try to connect
from SQL Server Query Analyzer:
Unable to connect to
server. Server msg 18, level 16, state 1. [Microsoft] [ODBC SQL Server Driver}
[Shared Memory] SSL security error
The following error message
appears when you try to connect from SQL Enterprise Manager:
Unable to connect to server. Reason: SSL security error.
ConnectionOpen (SECDoClientHandShake())...
The SQLServerAgent
service also fails with the following error message:
Could not start SQLserverAgent Service on local computer. The service did not
return an error. This could be an internal Windows error or an internal service
error. If this error persists, contact your system administrator.
Due to the same connectivity errors indicated previously, an attempt to install
Microsoft SQL Server 2000 may also fail.
If you attempt the Microsoft
SQL Server installation on a computer on which the Certificate Server and the
Certificate Authority(CA) name is the same name as or starts with the machine
host name, the SQL Server installation on that computer may fail at the
configuration stage. During the configuration stage of the installation
process, the setup program makes a connection to SQL Server.
This
problem applies to any edition of Microsoft SQL Server, including the Microsoft
Desktop Engine (MSDE) installation.
The Microsoft SQL Server
installation may fail with the following error message:
Setup failed to configure the server. Refer to the server error logs and
C:\WINNT\sqlstp.log for more information.
If the error message
occurs, SQL Server writes the following information in the Cnfgsvr.out file
located in the SQL Server
Install subfolder:
###############################################################################
Starting Service ...
SQL_Latin1_General_CP1_CI_AS
-m -Q -T4022 -T3659
Connecting to Server ...
driver={sql server};server=Instance_Name;UID=<username>;PWD=<strong password>;database=master
[Microsoft][ODBC SQL Server Driver][Shared Memory]SSL Security error
[Microsoft][ODBC SQL Server Driver][Shared Memory]ConnectionOpen (SECDoClientHandshake()).
driver={sql server};server=ORLANDO;UID=<username>;PWD=<strong password>;database=master
[Microsoft][ODBC SQL Server Driver][Shared Memory]SSL Security error
[Microsoft][ODBC SQL Server Driver][Shared Memory]ConnectionOpen (SECDoClientHandshake()).
driver={sql server};server=ORLANDO;UID=<username>;PWD=<strong password>;database=master
[Microsoft][ODBC SQL Server Driver][Shared Memory]SSL Security error
[Microsoft][ODBC SQL Server Driver][Shared Memory]ConnectionOpen (SECDoClientHandshake()).
SQL Server configuration failed.
###############################################################################
By default, the Microsoft SQL Server Desktop Engine setup
does not generate a Cnfgsvr.out file. The setup program may fail to configure
SQL Server and the following error message may appear:
Setup failed to configure the server. Refer to the server error logs and setup
error logs for more information.
However, note that a configuration
failure can occur due to reasons other than the one described in this article.
RESOLUTION
To resolve this problem, obtain the latest
service pack for SQL Server 2000. For additional information, click the
following article number to view the article in the Microsoft Knowledge Base:
290211 INF: How to Obtain the Latest SQL Server 2000 Service Pack
- If you have not installed Certificate Server, do not use
the host name as the Certificate Authority (CA) name for the stand-alone
Certificate Server.
- If you have already installed the Certificate Server and
used the host name as part of the CA key, use the Certutil.exe utility to
remove the Certificate Authority (CA) keys that contain the host name. To
remove the keys that contain the host name, follow these steps:
- At a command prompt type the following command to list all
the current and previously installed Certificate Authority (CA) keys:
- t a command prompt type the following command to remove the
Certificate Authority (CA) key that contains the host name:
certutil -delkey "CA_name"
- Restart the Microsoft Windows 2000 server.
NOTE: After you delete the Certificate Authority (CA) keys, all the
certificates issued by the Certificate Authority (CA) no longer work. That is
because the CA is the root of the public key infrastructure (PKI) and its
private key is used to digitally sign all issued certificates. And, you will
also lose the use of all Web, e-mail, and software certificates.