Recently, we could not get our SQL Server 2008 R2 cluster to fail over to the passive node generating the following error:
Server,Unknown,The server was unable to initialize encryption because of a problem with a security library. The security library may be missing. Verify that security.dll exists on the system.
Server,Unknown,TDSSNIClient initialization failed with error 0x139f<c/> status code 0x80. Reason: Unable to initialize SSL support. The group or resource is not in the correct state to perform the requested operation.
We worked through the problem with the Microsoft engineer so I thought I would post the resolution here:
The most common cause for such an error – and its results- is actually in group policy with the SSL cipher suite order. So first, check to see if that is enabled or disabled on the node that SQL starts up fine on. I’d expect it to be disabled.
1. At a command prompt, enter gpedit.msc. The Group Policy Object Editor appears.
2. Expand Computer Configuration > Administrative Templates > Network, and then click SSL Configuration Settings.
3. Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.
4. Right click on SSL Cipher Suite Order and select edit. Check to see if it is enabled or disabled.
If it is disabled on the node on which SQL starts up fine, disable it on the node where SQL won’t start. It does require a reboot to apply.
=======================
To disable the SSL Cipher Suite Order group policy setting please follow below steps
1. At a command prompt, enter gpedit.msc. The Group Policy Object Editor appears.
2. Expand Computer Configuration > Administrative Templates > Network, and then click SSL Configuration Settings.
3. Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.
4. Right click on SSL Cipher Suite Order and select edit. Then click on Disabled and click ok
5. Reboot the server
=======================
If it is not disabled on the node on which SQL starts up fine, or if it is already disabled on the node on which SQL will not start, then we’ll have to start looking at more unusual causes.
This was not our problem and had to keep looking:
Verify that the following is the same on both nodes?
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cry ptography\Configuration\SSL\00010002\
It should have in there some values like:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
Ours had inconsistent entries (extra comma) that had to be sychronized as follows:
1. At a command prompt, enter gpedit.msc. The Group Policy Object Editor appears.
2. Expand Computer Configuration > Administrative Templates > Network, and then click SSL Configuration Settings.
3. Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.
4. Take out the extra comma
5. Click Apply
6. Click OK
7. Reboot the node
8. Go to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cry ptography\Configuration\SSL\00010002\
9. Check that it now does not have the extra comma
Removing the extra comma resolved our problem.
Server,Unknown,The server was unable to initialize encryption because of a problem with a security library. The security library may be missing. Verify that security.dll exists on the system.
Server,Unknown,TDSSNIClient initialization failed with error 0x139f<c/> status code 0x80. Reason: Unable to initialize SSL support. The group or resource is not in the correct state to perform the requested operation.
We worked through the problem with the Microsoft engineer so I thought I would post the resolution here:
The most common cause for such an error – and its results- is actually in group policy with the SSL cipher suite order. So first, check to see if that is enabled or disabled on the node that SQL starts up fine on. I’d expect it to be disabled.
1. At a command prompt, enter gpedit.msc. The Group Policy Object Editor appears.
2. Expand Computer Configuration > Administrative Templates > Network, and then click SSL Configuration Settings.
3. Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.
4. Right click on SSL Cipher Suite Order and select edit. Check to see if it is enabled or disabled.
If it is disabled on the node on which SQL starts up fine, disable it on the node where SQL won’t start. It does require a reboot to apply.
=======================
To disable the SSL Cipher Suite Order group policy setting please follow below steps
1. At a command prompt, enter gpedit.msc. The Group Policy Object Editor appears.
2. Expand Computer Configuration > Administrative Templates > Network, and then click SSL Configuration Settings.
3. Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.
4. Right click on SSL Cipher Suite Order and select edit. Then click on Disabled and click ok
5. Reboot the server
=======================
If it is not disabled on the node on which SQL starts up fine, or if it is already disabled on the node on which SQL will not start, then we’ll have to start looking at more unusual causes.
This was not our problem and had to keep looking:
Verify that the following is the same on both nodes?
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cry ptography\Configuration\SSL\00010002\
It should have in there some values like:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
Ours had inconsistent entries (extra comma) that had to be sychronized as follows:
1. At a command prompt, enter gpedit.msc. The Group Policy Object Editor appears.
2. Expand Computer Configuration > Administrative Templates > Network, and then click SSL Configuration Settings.
3. Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.
4. Take out the extra comma
5. Click Apply
6. Click OK
7. Reboot the node
8. Go to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cry ptography\Configuration\SSL\00010002\
9. Check that it now does not have the extra comma
Removing the extra comma resolved our problem.