I see whats wrong with forced protocol encryption now! Heres the easiest solution.
From: Ed the CISSP (nospam_at_nottoday.com)
Date: Thu, 12 Jun 2003 00:12:46 -0400
Assuming you have a box ready for an SQL install.
Create yourself an unprivileged user account.
Modify the Administrators group adding the unprivileged user temporarily.
Log into the un-privileged user account.
Install SQL server. Make sure it starts the SQL service as the unprivileged
open up a browser(yes even before you reboot the machine.)
Request yourself a certificate using the advanced form request.
If you get the Stupid persistent "downloading activex control" message, then
loginto a cmd.exe box on the cert server,
cd to c:\winnt\system32\certsrv
and run cafixweb.exe in the cert dir. <--this fixes the cert web services.
The advanced form Cert request should include the following details
The Name window should have your SQL servers Host name.
The Intended purpose should be "Server Authentication Certificate"
The CSP should be :Microsoft RSA SChannel Cryptographic provider.
A single check in the Use local machine store
And click submit.
Issue yourself the requested certificate by opening the
Start-programs=Administrative tools-certification authority
click on the requested certificate and right click selecting Issue
Re-visit the http://Yourcertserver/certsrv and install your certificate.
When you click install on the cert http page the CA is automatically
installed with your requested cert.
Now Reboot once login to your unprivileged SQL account again
and You can open the SQL server Network Utility, select " Forced encryption
And start the Engine. It will start right up forcing encryption.
Then THIS GETS TOO UGLY FOR WORDS!
But it will work.
Bah on Microsoft that we have to even consider the following.
get filemon 6.04 and Regmon 6.04
Learn how these tools work you need them
Clear the File mon and regmon windows, and Start the server.
As soon as it starts stop monitoring on file mon and reg mon
Use the save As feature to save file mon to c:\sql_ok_file.log and regmon to
Now open up the Computer management program
Select the Administrators group and edit it. Remove the SQL_unprivileged
Repeat what you did with file mon and regmon saving the logs now to
c:\SQL_BAD_file.log and c:\SQL_BAD_REG.log
Now using the tool of your choice, compare visually c:\sql_ok_file.log to
c:\sql_bad_file.log do the same for regmon when your done with files.
The comparison shows clearly ACCDENIED on registry accesses when the
administrators group does not include the un-privileged user.
Here is what you do
click start click run type regedt32.exe and Add permissions that you need to
run SQL server that apparently Microsoft has forgotten about.
End of story.
Mabey some one at microsoft will Take PITTY on us and make a fix to do this
And Its not SQL SP2 cause that dosent fix this.
These errors happen in SQL SP3a
If I sound aggrivated I am, becasue of the countless hours wasted on THIS
undocumented un-discussed poorly implimented security feature.
That bugs not a bug, its a security feature.
Ill have this problem licked tomorrow with no thanks to the Microsoft
newsgroups or Microsoft support.
I doubt if their are more than a handful of people who have implemented SSL
on unprivileged accounts due the nature of the documentation, discussion,
and lack of handling from the coding parties.
People are installing certificated into every trust store they can get thier
hands on, wondering why their SSL webpages work but SSL on SQL can't be made
to work as documented and discussed.