SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


DB Engine service won't start with service account


DB Engine service won't start with service account

Author
Message
turfnsurf4me
turfnsurf4me
SSC-Enthusiastic
SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)

Group: General Forum Members
Points: 198 Visits: 84
I'm running SQL Server 2008 R2 in a Windows 2008 Enterprise Hyper-V virtual. I've created a service account to run the SQL service. I've set up the SPN for service account correctly, i.e.

MSSQLsvc/<machine name>:1433 and with the FQDN

The service account has been granted "log on as service" and some other local policy privilages. The Force Protocol Encryption is set to NO. The VIA protocal is disabled.


When I set the SQL service to run as this domain service account with the SQL Configuration manager the service won't start and throws a bunch of errors which I'll post below. If I set the SQL service to run as Network Service, it works. If I use the Built-in "Administrators" for the domain it works.


From Application Event Log...

Initializing the FallBack certificate failed with error code: 1, state: 1, error number: -2146893802.

Unable to initialize SSL encryption because a valid certificate could not be found, and it is not possible to create a self-signed certificate.

Server name is 'SQ01'. This is an informational message only. No user action is required.

TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support. Cannot find object or property.

TDSSNIClient initialization failed with error 0x80092004, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors. Cannot find object or property.

Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.

SQL Server could not spawn FRunCM thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.



From System Event Log..

The LoadUserProfile call failed with the following error: Access is denied.

The SQL Server (MSSQLSERVER) service entered the stopped state.

The SQL Server (MSSQLSERVER) service terminated with service-specific error 2148081668 (0x80092004).
george sibbald
george sibbald
SSC Guru
SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)

Group: General Forum Members
Points: 63236 Visits: 13706
anything extra in the SQL error log? Does it even produce an error log?

does it work if you give the account local admin?

---------------------------------------------------------------------
jeff.matthews2
jeff.matthews2
SSC Rookie
SSC Rookie (27 reputation)SSC Rookie (27 reputation)SSC Rookie (27 reputation)SSC Rookie (27 reputation)SSC Rookie (27 reputation)SSC Rookie (27 reputation)SSC Rookie (27 reputation)SSC Rookie (27 reputation)

Group: General Forum Members
Points: 27 Visits: 5
george sibbald (10/18/2010)
anything extra in the SQL error log? Does it even produce an error log?

does it work if you give the account local admin?


Local admin privilages doesn't work. Honestly, I think it's how I set up and configured the service account. In the Win2003 world, I would simply create a new user account, grant the service account certain privilages in the machines local policy, in the DB, set the account SPN and be done with it.

I was reading about service accounts in 2008 with resepct to managing them. It's done a little different with the new OS. Here's a good article on it

http://www.windowsecurity.com/articles/Controlling-Service-Security-Windows-Server-2008.html


Going to try out the items listed in the article and see where I get.
george sibbald
george sibbald
SSC Guru
SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)

Group: General Forum Members
Points: 63236 Visits: 13706
Ok, confused now. change of username or schizophrenic? :-)

good old windows 2008, check out UACL.

---------------------------------------------------------------------
Perry Whittle
Perry Whittle
SSC Guru
SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)

Group: General Forum Members
Points: 148438 Visits: 18282
turfnsurf4me (10/18/2010)
MSSQLsvc/<machine name>:1433 and with the FQDN

This is incorrect, when running SQL Server under the context of a user account the SPN is bound to that user and not the server name. Like so

 
SETSPN -A MSSQLSvc/computer.domain.com:TCPPort domain\useracct



So for my test domain UKTRADING and SQL Server MYSERVER with SQL Server instance using port 1608 I would bind to user account SQL-Service-srv like so;

 
SETSPN -A MSSQLSvc/myserver.UKTRADING.co.uk:1608 UKTrading\SQL-Service-srv



Delete the SPN against the computer name and re register as above!

-----------------------------------------------------------------------------------------------------------

"Ya can't make an omelette without breaking just a few eggs" ;-)
turfnsurf4me
turfnsurf4me
SSC-Enthusiastic
SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)

Group: General Forum Members
Points: 198 Visits: 84
Perry Whittle (10/18/2010)
turfnsurf4me (10/18/2010)
MSSQLsvc/<machine name>:1433 and with the FQDN

This is incorrect, when running SQL Server under the context of a user account the SPN is bound to that user and not the server name. Like so.....



No.......it's not. What I neglected to articulate is that I use the ADSI Edit snap-in and edit the service principal name property ( of the service account) directly while on the domain controller. I don't use the command line interface to create or modify the property. You see what I'm saying? Trust me...the SPN is correct. I've been doing this for years.

When I'm done doing what I just said, the SPN is...

MSSQLsvc/sq01:1433
MSSQLsvc/sq01.virt.local:1433

And even if I did have the SPN hosed, it still wouldn't explain why the process doesn't start with some ID's and does with others. In other words, the correctness or incorrectness of the SPN doesn't determine whether or not the process will start or won't start. At least it never has in the years I've been using them. Sure, you'll get errors being thrown in the Event logs, and communications between processes won't work. But it won't effect whether or not the process starts.
turfnsurf4me
turfnsurf4me
SSC-Enthusiastic
SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)

Group: General Forum Members
Points: 198 Visits: 84
george sibbald (10/18/2010)
Ok, confused now. change of username or schizophrenic? :-)



I have two screen names.... w00t..... simply because one day I forgot I had the other one. So I "re-registered". And while at work yesterday, I was "the other guy". Uhhhh....I don't come here very often. Bottom line, both usernames ( screenames) are for the same people.. me.

And I've already disabled the UACL on the machine. So that's not it.
Perry Whittle
Perry Whittle
SSC Guru
SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)

Group: General Forum Members
Points: 148438 Visits: 18282
turfnsurf4me (10/19/2010)
What I neglected to articulate is that I use the ADSI Edit snap-in and edit the service principal name property ( of the service account) directly while on the domain controller. I don't use the command line interface to create or modify the property. You see what I'm saying? Trust me...the SPN is correct. I've been doing this for years.

When I'm done doing what I just said, the SPN is...

MSSQLsvc/sq01:1433
MSSQLsvc/sq01.virt.local:1433

I see, the SPN above is what you see via ADSIEDIT against the service account. I wrongly assumed you had listed against the computer account. You would be surprised how many people do not understand that the SPN should be bound to the service account and not the computer account when running the service under the context of a low privilege user account!

turfnsurf4me (10/19/2010)
And even if I did have the SPN hosed, it still wouldn't explain why the process doesn't start

I never said or implied that it did, my reference was to the seemingly incorrect SPN binding.

-----------------------------------------------------------------------------------------------------------

"Ya can't make an omelette without breaking just a few eggs" ;-)
turfnsurf4me
turfnsurf4me
SSC-Enthusiastic
SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)SSC-Enthusiastic (198 reputation)

Group: General Forum Members
Points: 198 Visits: 84
I never said or implied that it did, my reference was to the seemingly incorrect SPN binding.


You're right and pardon me for coming off kind of snippy, it wasn't my intention, sorry. At any rate, I just fired up another clean 2008 virtual to install SQL server 2008. Figured I hosed something up in the original install. Everything was fine up until I get to the section where I specify a service account for the processes. The error I get is

*S-15-21-some long *** number-another ridiculous number-1108. No mapping between account name and the security ID's was done.

It has be something with my infrastructure, or the way I created the service account, which I can't imagine what because I created the blasted thing like I always have with gui tools etc. I'm lost...
Perry Whittle
Perry Whittle
SSC Guru
SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)

Group: General Forum Members
Points: 148438 Visits: 18282
Incidentally, rathing than poking around manually setting SPN's just allow the service account to do it automatically.

In ADSIEDIT find you service and account and select properties then go to the permissions tab. Scroll down and find SELF "read\write personal information" and click edit. Scroll down and check the following

Allow read ServicePrincipalName
Allow write ServicePrincipalName

The service account will now automatically register and maintain it's SPN's.

-----------------------------------------------------------------------------------------------------------

"Ya can't make an omelette without breaking just a few eggs" ;-)
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum








































































































































































SQLServerCentral


Search