FIX: You may be unable to start the SQL Server agent if you configure a SQL Server 2005 failover cluster to use Kerberos constrained delegation for a domain user account

Article translations Article translations
Article ID: 956378 - View products that this article applies to.
Bug: #50002978 (SQL Hotfix)
Microsoft distributes Microsoft SQL Server 2005 fixes as one downloadable file. Because the fixes are cumulative, each new release contains all the hotfixes and all the security fixes that were included with the previous SQL Server 2005 fix release.
Expand all | Collapse all

On This Page

SYMPTOMS

Consider the following scenario:
  • You configure a Microsoft SQL Server 2005 failover cluster to use "Kerberos constrained delegation" for a domain user account.

    Note Using "Kerberos constrained delegation" means that you use the "Trust this user for delegation to specified services only" option for the user.
  • The domain user account does not have domain administrator permissions.
  • Both the SQL Server service and the SQL Server Agent service are running under the domain user account.
  • You applied SQL Server 2005 Service Pack 2 (SP2) Cumulative Update 3 or later cumulative updates.
In this scenario, you may be unable to start the SQL Server agent, and you may receive one of the following error messages:

Error message 1
<Date Time> - ! [298] SQLServer Error: 22022, CryptUnprotectData() returned error -2146892987, 'The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.' [SQLSTATE 42000]
<Date Time> - ! [442] ConnConnectAndSetCryptoForXpstar failed (0).
<Date Time> - ? [098] SQLServerAgent terminated (normally)

Error message 2
<Date Time> - ! [298] SQLServer Error: 22022, CryptUnprotectData() returned error -2146893813, 'Key not valid for use in specified state.' [SQLSTATE 42000]
<Date Time> - ! [442] ConnConnectAndSetCryptoForXpstar failed (0).
<Date Time> - ? [098] SQLServerAgent terminated (normally)

RESOLUTION

Cumulative update information

The fix for this issue was first released in Cumulative Update 9. For more information about how to obtain this cumulative update package for SQL Server 2005 Service Pack 2, click the following article number to view the article in the Microsoft Knowledge Base:
953752 Cumulative update package 9 for SQL Server 2005 Service Pack 2
Note Because the builds are cumulative, each new fix release contains all the hotfixes and all the security fixes that were included with the previous SQL Server 2005 fix release. Microsoft recommends that you consider applying the most recent fix release that contains this hotfix. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
937137 The SQL Server 2005 builds that were released after SQL Server 2005 Service Pack 2 was released
Microsoft SQL Server 2005 hotfixes are created for specific SQL Server service packs. You must apply a SQL Server 2005 Service Pack 2 hotfix to an installation of SQL Server 2005 Service Pack 2. By default, any hotfix that is provided in a SQL Server service pack is included in the next SQL Server service pack.

WORKAROUND

In Windows Server 2003, to use constrained delegation in a clustered server environment for SQL Server 2005 with Cumulative Update 3 or a later Cumulative Update up to Cumulative Update 9 installed, follow these steps:
  1. Make sure that the Active Directory domain functional level is set to Windows Server 2003. To verify this setting, open the Active Directory Users and Computers Microsoft Management Console (MMC), right-click the domain node, and then click Properties.

    Note If the Domain functional level field does not display Windows Server 2003, you cannot use constrained delegation. In this case, this method does not apply. The Delegation tab that is mentioned below is not available.
  2. Use the SETSPN utility to create Service Principal Names (SPNs) for the MSSQLSvc service according to the directions in step 3 of the SQL Server Books Online “How to: Enable Kerberos Authentication on a SQL Server Failover Cluster” topic. You must perform this operation for all four SPN combinations. These combinations are as follows:
    • MSSQLSvc/NETBIOSName
    • MSSQLSvc/FQDN
    • MSSQLSvc/NETBIOSName:Port
    • MSSQLSvc/FQDN:Port
    For more information about how to obtain the SETSPN utility, click the following article number to view the article in the Microsoft Knowledge Base:
    926027 Updates to the Windows Server 2003 Support Tools are included in Windows Server 2003 Service Pack 2
  3. Set delegation for the SQL Server 2005 service account. To do this, follow these steps:
    1. Open the Active Directory Users and Computers MMC.
    2. Locate the user account object that the SQL Server Service runs under, right-click the user account, and then click Properties.
    3. In the Properties dialog box, click the Delegation tab.
    4. Select the Trust this user for delegation to specified services only radio button.
    5. Select either the Use Kerberos only radio button or the Use any authentication protocol radio button.
    6. Click Add .
    7. In the Add Services dialog box, click Users or Computers.
    8. In the Select Users or Computers dialog box, type the user account that the SQL Server service is running under in the Object Name box, and then click OK.

      Note This is the account that you created in step 2.
    9. Click Select All, and then click OK in the Add Services dialog box.
    10. In the Properties dialog box, click OK.
  4. Set delegation for the SQL Server virtual machine computer account. The account is the Network Name resource in the SQL Server cluster resource group. To do this, follow these steps:
    1. Open the Active Directory Users and Computers MMC.
    2. Locate the computer account object for the SQL Server virtual machine, right-click the computer account, and then click Properties.
    3. In the Properties dialog box, click the Delegation tab.
    4. Select the Trust this user for delegation to specified services only radio button.
    5. Select either the Use Kerberos only radio button or the Use any authentication protocol radio button.
    6. Click Add .
    7. In the Add Services dialog box, click Users or Computers.
    8. In the Select Users or Computers dialog box, type the user account that the SQL Server service is running under in the Object Name box, and then click OK.

      Note This is the account that you created in step 2.
    9. Click Select All, and then click OK in the Add Services dialog box.
    10. In the Properties dialog box, click OK.
  5. Set delegation for each of the cluster node computer accounts in the cluster. To do this, follow these steps:
    1. Open the Active Directory Users and Computers MMC.
    2. Locate the computer account object for one of the cluster nodes, right-click the account, and then click Properties.
    3. In the Properties dialog box, click the Delegation tab.
    4. Select the Trust this user for delegation to specified services only radio button.
    5. Select the Use any authentication protocol radio button.
    6. Click Add .
    7. In the Add Services dialog box, click Users or Computers.
    8. In the Select Users or Computers dialog box, type the machine accounts for all the domain controllers in this domain separated by semicolons in the Object Name box, and then click OK
    9. In the list of available services, select the cifs service and the protectedstorage service for all domain controllers that are mentioned in step h, and then click OK in the Add Services dialog box.
    10. In the Properties dialog box, click OK.
  6. Restart all cluster nodes.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about what files are changed, and for information about any prerequisites to apply the cumulative update package that contains the hotfix that is described in this Microsoft Knowledge Base article, click the following article number to view the article in the Microsoft Knowledge Base:
953752 Cumulative update package 9 for SQL Server 2005 Service Pack 2


For more information about how to enable Kerberos authentication on a SQL Server failover cluster, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/ms189585.aspx

REFERENCES

For more information about the list of builds that are available after SQL Server Service Pack 2, click the following article number to view the article in the Microsoft Knowledge Base:
937137 The SQL Server 2005 builds that were released after SQL Server 2005 Service Pack 2 was released
For more information about the Incremental Servicing Model for SQL Server, click the following article number to view the article in the Microsoft Knowledge Base:
935897 An Incremental Servicing Model is available from the SQL Server team to deliver hotfixes for reported problems
For more information about how to obtain SQL Server 2005 Service Pack 2, click the following article number to view the article in the Microsoft Knowledge Base:
913089 How to obtain the latest service pack for SQL Server 2005
For more information about the new features and the improvements in SQL Server 2005 Service Pack 2, visit the following Microsoft Web site:
http://go.microsoft.com/fwlink/?LinkId=71711
For more information about the naming schema for SQL Server updates, click the following article number to view the article in the Microsoft Knowledge Base:
822499 New naming schema for Microsoft SQL Server software update packages
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 956378 - Last Review: October 8, 2011 - Revision: 3.0
APPLIES TO
  • Microsoft SQL Server 2005 Enterprise Edition
  • Microsoft SQL Server 2005 Enterprise X64 Edition
  • Microsoft SQL Server 2005 Enterprise Edition for Itanium-based Systems
Keywords: 
kbsql2005cluster kbexpertiseadvanced kbhotfixrollup kbfix kbqfe KB956378

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com