Microsoft KB Archive/943525

= You cannot start the SQL Server Agent service of a failover cluster of SQL Server 2005 if the build of SQL Server is 3179 or a later build =

Article ID: 943525

Article Last Modified on 11/30/2007

-

APPLIES TO


 * Microsoft SQL Server 2005 Standard Edition
 * Microsoft SQL Server 2005 Developer Edition
 * Microsoft SQL Server 2005 Enterprise Edition
 * Microsoft SQL Server 2005 Standard X64 Edition
 * Microsoft SQL Server 2005 Enterprise X64 Edition

-



Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows XP and Windows Vista



SYMPTOMS
Consider the following scenario:
 * You install and then configure a failover cluster of Microsoft SQL Server 2005.
 * The build of SQL Server 2005 is 3179 or a later build.

In this situation, you cannot start the SQL Server Agent service. Additionally, the following error message is logged in the SQL Server Agent log (Sqlagent.out):

2007-10-10 10:46:24 - ! [298] SQLServer Error: 22022, CryptUnprotectData returned error -2146892987, 'The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.' [SQLSTATE 42000]

2007-10-10 10:46:24 - ! [442] ConnConnectAndSetCryptoForXpstar failed (0).

Note The Sqlagent.out file is in following folder:

%ProgramFiles%\Microsoft SQL Server\MSSQL.1\MSSQL\LOG



CAUSE
This problem occurs because the SQL Server Agent service cannot connect to the SQL Server service.

When the SQL Server Agent service starts, it connects to the SQL Server service. The SQL Server Agent service runs the xp_sqlagent_notify stored procedure to notify the SQL Server Agent service of changes. While the xp_sqlagent_notify stored procedure is running, a call to a cryptographic API fails. Therefore, the SQL Server Agent service cannot connect to the SQL Server service.



WORKAROUND
To work around this problem, use one of the following methods.

Method 1
In the Active Directory Users and Computers snap-in, enable the SQL Server service account to be trusted for delegation.

Note You do not have to restart any resource after you enable the SQL Server service account to be trusted for delegation. For more information about how to enable a service account to be trusted for delegation, visit the following Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/library/bef202b0-c8e9-4999-9af7-f56b991a4fd41033.mspx?mfr=true

Method 2
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.  Click Start, click Run, type Regedit, and then click OK. Locate the following registry subkey:

 Double-click the ProtectionPolicy registry entry. In the Edit DWORD Value dialog box, type 1 in the Value data box, and then click OK. Double-click the MasterKeyLegacyCompliance registry entry. In the Edit DWORD Value dialog box, type 1 in the Value data box, and then click OK.</li> Delete the following folder:



Note The  placeholder is a placeholder for the security identifier (SID) of the SQL Server Agent service account.</li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Keywords: kbexpertiseadvanced kbtshoot kbprb KB943525

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.