Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

SQL Server fails to start with error 17182 "TDSSNIClient initialization failed with error 0xd, status code 0x38" when server is configured to use SSL


Symptoms

Consider the following scenario:

  • You have an instance of  SQL Server 2005  or a later version that is hosted on a system that is running either Windows Server 2008 or a later version of the operating system.
  • You have configured SSL encryption for your SQL Server by manually entering the Thumbprint of a certificate (For example, using the instructions in the blog post: Enabling Certificate for SSL on a SQL Server 2005 Clustered Installation) into the Certificate value under the following registry key:
    HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\<instance>\MSSQLServer\SuperSocketNetLib

In this scenario, your SQL Server may fail to start and the following messages are logged in the SQL Server Errolog:

2010-04-16 18:56:31.48 Server      Error: 17182, Severity: 16, State: 1.
2010-04-16 18:56:31.48 Server      TDSSNIClient initialization failed with error 0xd, status code 0x38.
2010-04-16 18:56:31.49 Server      Error: 17182, Severity: 16, State: 1.
2010-04-16 18:56:31.49 Server      TDSSNIClient initialization failed with error 0xd, status code 0x1.
2010-04-16 18:56:31.51 Server      Error: 17826, Severity: 18, State: 3.
2010-04-16 18:56:31.51 Server      Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.
2010-04-16 18:56:31.54 Server      Error: 17120, Severity: 16, State: 1.
2010-04-16 18:56:31.54 Server      SQL Server could not spawn FRunCM thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.
 

↑ Back to the top


Cause

A common root cause for these symptoms is an invisible character that may have been inadvertently added to the certificate's Thumbprint value, when it gets copied out of the Certificates snap-in's rich-edit control in MMC.

↑ Back to the top


Resolution

You can use either of the following resolutions:

  • Avoid copying leading characters from the Certificates snap-in in MMC, when you copy the Thumbprint value of a certificate.
  • Use the Certutil tool instead of the certificates snap-in in MMC to export the certificate to a text file and then copy the Thumbprint value of the required certificate from the text file. The usage is shown below:

    To view the content of computer's Current User certificate store type the following at the command prompt: certutil -store -user my
    To view the content of computer's Local Computer certificate store type the following at the command prompt: certutil -store my 

You can direct the output of the above command to a text file using the following at an administrative command prompt on Vista based operating systems: certutil  –store my > cert.txt

The thumbprint can be located in the line that starts with "Cert Hash(sha1)"
For example: Cert Hash(sha1): e7 02 4b 42 c4 04 fd 44 8c ec 21 f1 91 76 5c b7 c3 ad 1d 55

You can then copy this value (without spaces - for the above example it will be e7024b42c404fd448cec21f191765cb7c3ad1d55) to the Certificate value under the following registry key:  HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\<instance>\MSSQLServer\SuperSocketNetLib 

↑ Back to the top


More Information

A status code 0x38 in error message 17182 means that SQL Server experienced an error during the initialization of SSL. See http://blogs.msdn.com/sql_protocols/archive/2006/01/10/511330.aspx for more details.

The return code 0xd denotes OS error 0xd (13) which translates to “The data is invalid"

The above error 17182 "TDSSNIClient initialization failed with error 0xd, status code 0x38" occurs specifically because of the fact that the string under Certificate value cannot be properly converted back to a valid thumbprint of the certificate.

Note:  This GUI issue with Certificates snap-in does not occur on older versions of Windows (e.g. Windows XP, Windows Server 2003), as they do not use a rich edit control in the Certificates snap-in

To check whether you are running into the issue documented in this article you can use the following procedure:

  1. Open regedit and navigate to the following registry key and export the key to SSLKey.reg file:
    HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\<instance>\MSSQLServer\SuperSocketNetLib
  2. Open the SSLKey.reg file from Step 1 using Notepad and using the Save As dialog box in the File menu, click ANSI in the Encoding list, and then click Save.
  3. If you get the warning below, proceed to Step 3 by clicking OK.
    "This file contains characters in Unicode format which will be lost if you save this file as an ANSI encoded text file. To keep the Unicode information, click Cancel below and then select one of the Unicode options from the Encoding drop down list. Continue?"
  4. Close the SSLKey.reg file and re-open it using Notepad.
  5. If you now see a questions mark or any other invalid character in the thumbprint of your certificate, it is an indication that you are probably running into the issue documented in this article:

    An example entry may look similar to the following:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\SuperSocketNetLib]
    "Certificate"="?b009d02038431da332f095b4ea6a126f4f5c7d18"

↑ Back to the top


Keywords: vkball, kb

↑ Back to the top

Article Info
Article ID : 2023869
Revision : 1
Created on : 1/8/2017
Published on : 5/10/2016
Exists online : False
Views : 347