SQL SERVER – Initializing the FallBack Certificate Failed With Error Code: 1, State: 20, Error Number: 0

One of my clients came with an issue with SQL Server startup. As per them, they just changed the password of SQL Server Service account using the configuration manager. In this blog we would learn about how to fix Initializing the FallBack certificate failed with error code: 1, state: 20, error number: 0 during SQL startup.

THE INVESTIGATION

As I mentioned earlier, my client informed that they have changed the service account password. As usual, I first asked to check SQL ERRORLOG to know the exact message. SQL SERVER – Where is ERRORLOG? Various Ways to Find ERRORLOG Location

Here are the messages toward the end of the ERRORLOG file.

1. Error: 17190, Severity: 16, State: 1.
2. Initializing the FallBack certificate failed with error code: 1, state: 20, error number: 0.
3. Unable to initialize SSL encryption because a valid certificate could not be found, and it is not possible to create a self-signed certificate.
4. Error: 17182, Severity: 16, State: 1.
5. TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support. Cannot find object or property.
6. Error: 17182, Severity: 16, State: 1.
7. TDSSNIClient initialization failed with error 0x80092004, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors. Cannot find object or property.
8. Error: 17826, Severity: 18, State: 3.
9. Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.

Note that I have added line number for clarity. The service account was a domain account.

I search on the internet and found many blogs having a wealth of information based on the error message. It looks like SQL Server generates a self-signed certificate by default for encryption. When I searched for 0x80092004 I could find below on Microsoft site.

The value 0x80092004 is an SSPI error code that translates to CRYPT_E_NOT_FOUND. This error was generated by SSL because it could not locate the certificate. Here are the possible causes

1. SQL Server Startup account (service account) does not have permission or does not have a local profile in the system.
2. The SQL server startup account cannot access a pre-existing key container needed to create the self-signed certificate.

I captured Process Monitor to see which key is getting accessed. I saw that below key is getting accessed.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Using PSGETSID I found SID and found that there was a key named SID.bak. Even if I rename and remove .bak, it was coming back when I try to restart. I could also see TEMP folder getting create in C:\USERS\ folder and getting deleted automatically.

SOLUTION/WORKAROUND

Above test confirmed that this was an issue due to Temporary profile getting loaded for SQL Service account. I tool back up and delete the key SID.bak. Please make sure you delete the key belonging to SID of service account only. Here is the screenshot to make sure you are at the right key

Hopefully, this would help you in fixing the SQL Server startup issue.

Reference: Pinal Dave (https://blog.sqlauthority.com)

First appeared on SQL SERVER – Initializing the FallBack Certificate Failed With Error Code: 1, State: 20, Error Number: 0