Ssl – SQL Server 2014 setup fails: SSL Provider, error: 0 – The token supplied to the function is invalid

sql serversql-server-2014ssl

I am attempting to install SQL Server 2014 Standard edition on a new Windows Server 2016 set up as a domain controller that replaces a retired DC. (I know it's not recommended, but we are a small operation and have combined Windows Server domain controllers and SQL Server without problem for years. Performance has been fine on our small LAN.) All prerequisite checks pass except for the warning about installing on a DC. Service accounts are set to domain user accounts with sufficient privileges. SQL Server Setup gets near the end and throws this error as shown in the Summary Setup Log:

Feature: Database Engine Services

Status: Failed: see logs for details

Reason for failure: An error occurred during the setup process of the feature.

Next Step: Use the following information to resolve the error, uninstall this feature, and then run the setup process again.

Component name: SQL Server Database Engine Services Instance Features

Component error code: 0x84BB0001

Error description: A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 0 – The token supplied to the function is invalid)

The error help link displayed after this just takes me to a main Microsoft page, not any help text.

Our existing DC runs Windows Server 2008 R2 and SQL Server 2005 Standard. We have no connections to the SQL Server outside our LAN and are not running IIS or any web services on the servers. I am not sure where to start diagnosing and correcting this setup error. For example, do we need to install a certificate on our DCs? Can it be a self-signed certificate, since we are making connections to SQL Server only on our LAN? Can we use something like OpenSSL?

Best Answer

Thanks. I took the advice to enable TLS 1.0 and 1.1 among others on our DCs along with some weaker ciphers. That did not correct the problem. I finally succeeded in installing SQL Server 2014 leaving the default service accounts in place. Then I fiddled later with attempting to change them to domain accounts. For the SQL Server service itself, I had to leave it with the default virtual account "NT Service\MSSQL$" in order to connect to the server in SSMS. While searching I learned about "Managed Service Accounts" as an alternative. Since we are at functional level Windows Server 2008 R2, I set up a managed service account for SQL Server according to guidelines in https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd560633%28v%3dws.10%29 and related articles like https://www.mssqltips.com/sqlservertip/5334/using-managed-service-accounts-with-sql-server/. All other services (Agent, Integration, Analysis, etc.) run OK using a regular domain user account, but the SQL Server service uses the managed service account. More testing is required, but for now this answers my initial post above about SQL Server setup failing.

Related Solutions

Sql-server – SQL Server to SQL Server linked server setup

From My understanding of this issue it's a "HOP" issue.

i.e. you are trying to use server A to relay your login details (with SSPI) to Server B.

In SQL Server 2005 they have added a whole load of security issues that make this harder than it should be. The words "Kerberos Authentication" will become the bain of most sys-admins/DBA's lives. It effectively is used for pass-through authentication.

Here are the basics of what you need. 1) The servers (A and B) need to be set-up in Active Directory(AD) with delegation for Kerberos enabled. (this is set through your active directory admin panel)

2) The service account that your SQL Servers run under need to have delegation enabled also (this is also set through your active directory admin panel). - if they are not running under a service account, you need to create one.

3) The Servers need to have SPN's defined for the instance and the HOST and the machine name. (Using a tool called SetSPN in the windows support tools)

Support Tools (SetSPN is in this set) http://www.microsoft.com/downloads/details.aspx?FamilyID=96a35011-fd83-419d-939b-9a772ea2df90&DisplayLang=en

(Overview of how to add an SPN) http://technet.microsoft.com/en-us/library/bb735885.aspx

4) You may need to set your DB to "trustworthy"

ALTER DATABASE SET trustworthy on

5) After you have all of this done restart your instances.

6) Then try create your linked server again.

Finally you can test your connection to SQL Server. This should work fine if you have it all configured correctly.

SELECT *
FROM OPENDATASOURCE('SQLNCLI',
    'Data Source=ServerB;Integrated Security=SSPI;'
    ).MASTER.dbo.syscolumns

This will tell you your connection authentication type.

select auth_scheme from sys.dm_exec_connections where session_id=@@SPID

You want to get 'KERBEROS' here and not 'NTLM'.

It's a slippy slope, KERBEROS and Pass-through delegation, stick with it and you will eventually figure it out.

References Kerberos http://blogs.msdn.com/sql_protocols/archive/2005/10/12/479871.aspx

http://blogs.msdn.com/sql_protocols/archive/2006/12/02/understanding-kerberos-and-ntlm-authentication-in-sql-server-connections.aspx

http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/the-biggest-mistake-serviceprincipalname-s.aspx

Other manifestations of the problem http://www.sqlservercentral.com/Forums/Topic460425-359-1.aspx

http://msdn2.microsoft.com/en-us/library/aa905162(sql.80).aspx

http://msdn2.microsoft.com/en-us/library/ms189580.aspx

I hope this all helps.

Sql-server – Recommended service account setup for MS SQL Server 2005/2008

I generally create a single domain service account and use that for all of the services on all of the servers. My suggestion would be to do one of two things:

Create a single domain service account that is used for all services on all servers.
Create a domain service account for all of the services on each server, so you'll have a separate service account for each server instead of four service accounts for each server.

Best Answer

Related Solutions

Sql-server – SQL Server to SQL Server linked server setup

Sql-server – Recommended service account setup for MS SQL Server 2005/2008

Related Topic