You cannot install SQL Server 2005 Service Pack 1 on a SQL Server 2005 failover cluster if the failover cluster is behind a firewall

Article translations Article translations
Article ID: 947988 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

When you install Microsoft SQL Server 2005 Service Pack 1 (SP1) on a SQL Server 2005 failover cluster, the installation fails. Additionally, the following error message is logged in the DTS9_Hotfix_KB913090_sqlrun_dts.msp.log file:
11/15/2006 10:01:44.056 Attempting to start service: MsDtsServer
11/15/2006 10:02:14.274 Unable to start service: MsDtsServer
11/15/2006 10:02:14.274 The following exception occurred: Unable to start service
Date: 11/15/2006 10:02:14.274 File:
\depot\sqlvault\setupmain\setup\sqlse\sqlsedll\service.cpp Line: 222
This problem occurs if the failover cluster is behind a firewall that blocks outgoing HTTP requests.

CAUSE

This problem occurs because the certificate revocation list (CRL) check operation times out.

WORKAROUND

To work around this problem, use one of the following methods.

Method 1

Configure the firewall to enable Internet access to the following Microsoft Web site:
http://crl.microsoft.com

Method 2

Turn off the CRL checking feature.

Important After you turn off the CRL checking feature, the applications that use the CryptoAPI function cannot verify any CRLs.

If SQL Server Integration Services (SSIS) is running under a domain account, follow these steps:
  1. In Control Panel, double-click Internet Options.
  2. In the Internet Options dialog box, click the Advanced tab.
  3. Under Settings, click to clear the Check for publisher’s certificate revocation check box, and then click OK.
If SSIS is running under the NETWORK SERVICE account, follow these steps:
  1. Start Notepad.
  2. In Notepad, paste the following information.
    Windows Registry Editor Version 5.00
    [HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
    "State"=dword:00023e00
  3. Save the file as a .reg file.
  4. Double-click the .reg file that you saved in step 3.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

When the Microsoft .NET Framework starts SSIS, the .NET Framework calls the CryptoAPI function. This function determines whether the certificates that are signed to the SQL Server assembly files are revoked. The CryptoAPI function requires an Internet connection to check the following CRLs for these certificates:
  • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl
  • http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl
If outgoing HTTP requests are dropped, the CryptoAPI function cannot download these CRLs. The SQL Server 2005 SP1 Setup program does not return an error message. However, the CRL check operation times out because of a long delay. When the Service Control Manager (SCM) determines that SSIS takes too long to start, the SCM reports the error message, and SSIS is not started.

Properties

Article ID: 947988 - Last Review: February 13, 2008 - Revision: 1.2
APPLIES TO
  • Microsoft SQL Server 2005 Standard Edition
  • Microsoft SQL Server 2005 Workgroup Edition
  • Microsoft SQL Server 2005 Developer Edition
  • Microsoft SQL Server 2005 Enterprise Edition
Keywords: 
kbexpertiseadvanced kbtshoot kbprb KB947988

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com