Consider the following scenario. An instance of Microsoft SQL Server 2005 is installed on a computer that is running Microsoft Windows XP or Microsoft Windows 2000. You try to connect to the instance. In this scenario, you receive one of the following error messages depending on the protocol that you use for the connection:
- When you try to connect to the instance by using the named pipes protocol or the shared memory protocol, you receive the following error message:
No process is on the other end of the pipe.
- When you try to connect to the instance by using the TCP/IP protocol, you receive the following error message:
An existing connection was forcibly closed by the remote host.
This problem occurs because a certificate that has the AT_SIGNATURE key specification is used for Secure Sockets Layer (SSL) encryption for the instance. A certificate that has the AT_SIGNATURE key specification cannot be used for SSL encryption in SQL Server 2005. On a computer that is running Microsoft Windows Server 2003, the certificate is recognized as not valid. Therefore, the SQL Server service does not load the certificate, and the service does not start. However, on a computer that is running Windows XP or Windows 2000, the SQL Server service loads the certificate, and the service starts successfully. This behavior causes the connection to fail.
To resolve this problem, use a valid certificate. You must use a certificate that has the AT_EXCHANGE key specification.
You can examine the key specification of the certificate by using the Certutil utility (Certutil.exe). To do this, follow these steps:
- At a command prompt, run the following command:
Certutil -store -v my -CertificateSerialNumberNote In this command, CertificateSerialNumber is a placeholder for the serial number of the certificate that you specify for the instance. To obtain the serial number of the certificate, locate the following registry subkey, and then obtain the value of the Certificate registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\SuperSocketNetLib
- In the result text, locate a section that resembles the following:
For a valid certificate, the KeySpec property has a value of 1. If the KeySpec property has a value of 2, the certificate has the AT_SIGNATURE key specification. Therefore, you experience the problem that is mentioned in the "Symptoms" section when you use the certificate.
Key Container = c3748a7420955ed4ee1dffb26484a0df_64756357-bf11-4528-b106-59c407d8a6e8
Provider = Microsoft RSA SChannel Cryptographic Provider
ProviderType = c
Flags = 60
KeySpec = 1
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
We strongly recommend that you use SQL Server Configuration Manager to specify a certificate for an instance. SQL Server Configuration Manager displays only the certificates that are valid for use by the server. Therefore, you can avoid selecting a certificate that is not valid.