You cannot install SQL Server 2005 Service Pack 1 on a SQL Server 2005 failover cluster if the failover cluster is behind a firewall


When you install Microsoft SQL Server 2005 Service Pack 1 (SP1) on a SQL Server 2005 failover cluster, the installation fails. Additionally, the following error message is logged in the DTS9_Hotfix_KB913090_sqlrun_dts.msp.log file:
11/15/2006 10:01:44.056 Attempting to start service: MsDtsServer
11/15/2006 10:02:14.274 Unable to start service: MsDtsServer
11/15/2006 10:02:14.274 The following exception occurred: Unable to start service
Date: 11/15/2006 10:02:14.274 File:
\depot\sqlvault\setupmain\setup\sqlse\sqlsedll\service.cpp Line: 222
This problem occurs if the failover cluster is behind a firewall that blocks outgoing HTTP requests.


This problem occurs because the certificate revocation list (CRL) check operation times out.


To work around this problem, use one of the following methods.

Method 1

Configure the firewall to enable Internet access to the following Microsoft Web site:

Method 2

Turn off the CRL checking feature.

Important After you turn off the CRL checking feature, the applications that use the CryptoAPI function cannot verify any CRLs.

If SQL Server Integration Services (SSIS) is running under a domain account, follow these steps:
  1. In Control Panel, double-click Internet Options.
  2. In the Internet Options dialog box, click the Advanced tab.
  3. Under Settings, click to clear the Check for publisher’s certificate revocation check box, and then click OK.
If SSIS is running under the NETWORK SERVICE account, follow these steps:
  1. Start Notepad.
  2. In Notepad, paste the following information.
    Windows Registry Editor Version 5.00
    [HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
  3. Save the file as a .reg file.
  4. Double-click the .reg file that you saved in step 3.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

When the Microsoft .NET Framework starts SSIS, the .NET Framework calls the CryptoAPI function. This function determines whether the certificates that are signed to the SQL Server assembly files are revoked. The CryptoAPI function requires an Internet connection to check the following CRLs for these certificates:
If outgoing HTTP requests are dropped, the CryptoAPI function cannot download these CRLs. The SQL Server 2005 SP1 Setup program does not return an error message. However, the CRL check operation times out because of a long delay. When the Service Control Manager (SCM) determines that SSIS takes too long to start, the SCM reports the error message, and SSIS is not started.

Article ID: 947988 - Last Review: Apr 16, 2010 - Revision: 1