I see whats wrong with forced protocol encryption now! Heres the easiest solution.

From: Ed the CISSP (nospam_at_nottoday.com)
Date: 06/12/03 

Date: Thu, 12 Jun 2003 00:12:46 -0400

Assuming you have a box ready for an SQL install.

Create yourself an unprivileged user account.
Modify the Administrators group adding the unprivileged user temporarily.

Log into the un-privileged user account.
Install SQL server. Make sure it starts the SQL service as the unprivileged
user.

open up a browser(yes even before you reboot the machine.)
to http://Yourcertserver/certsrv
Request yourself a certificate using the advanced form request.
If you get the Stupid persistent "downloading activex control" message, then
loginto a cmd.exe box on the cert server,
cd to c:\winnt\system32\certsrv
 and run cafixweb.exe in the cert dir. <--this fixes the cert web services.
The advanced form Cert request should include the following details
The Name window should have your SQL servers Host name.
The Intended purpose should be "Server Authentication Certificate"
The CSP should be :Microsoft RSA SChannel Cryptographic provider.
A single check in the Use local machine store
And click submit.
Issue yourself the requested certificate by opening the
  Start-programs=Administrative tools-certification authority
  click on the requested certificate and right click selecting Issue
Re-visit the http://Yourcertserver/certsrv and install your certificate.
When you click install on the cert http page the CA is automatically
installed with your requested cert.

Now Reboot once login to your unprivileged SQL account again
and You can open the SQL server Network Utility, select " Forced encryption
protocol "
And start the Engine. It will start right up forcing encryption.
Then THIS GETS TOO UGLY FOR WORDS!
But it will work.
Bah on Microsoft that we have to even consider the following.
Goto www.systeminternals.com
   get filemon 6.04 and Regmon 6.04
Learn how these tools work you need them
Clear the File mon and regmon windows, and Start the server.
As soon as it starts stop monitoring on file mon and reg mon
Use the save As feature to save file mon to c:\sql_ok_file.log and regmon to
c:\sql_ok_reg.log
Now open up the Computer management program
Select the Administrators group and edit it. Remove the SQL_unprivileged
user.
Repeat what you did with file mon and regmon saving the logs now to
c:\SQL_BAD_file.log and c:\SQL_BAD_REG.log

Now using the tool of your choice, compare visually c:\sql_ok_file.log to
c:\sql_bad_file.log do the same for regmon when your done with files.
The comparison shows clearly ACCDENIED on registry accesses when the
administrators group does not include the un-privileged user.

Here is what you do
click start click run type regedt32.exe and Add permissions that you need to
run SQL server that apparently Microsoft has forgotten about.
End of story.
Regards

Mabey some one at microsoft will Take PITTY on us and make a fix to do this
for us.
And Its not SQL SP2 cause that dosent fix this.
These errors happen in SQL SP3a
If I sound aggrivated I am, becasue of the countless hours wasted on THIS
undocumented un-discussed poorly implimented security feature.
That bugs not a bug, its a security feature.

Regards

Ill have this problem licked tomorrow with no thanks to the Microsoft
newsgroups or Microsoft support.
I doubt if their are more than a handful of people who have implemented SSL
on unprivileged accounts due the nature of the documentation, discussion,
and lack of handling from the coding parties.
People are installing certificated into every trust store they can get thier
hands on, wondering why their SSL webpages work but SSL on SQL can't be made
to work as documented and discussed.

Relevant Pages

  • Re: WSS 3.0 question
    ... I followed the advise given in removing WSS 3.0 etc, ... the server is complaining that the SQL service(?) was tempered with or corrupt. ... I may just instal the SQL server as I was going eventuall use it anyway. ... If WSUS 3.0 is installed, I would suggest you uninstall it and then you install WSS 3.0. ...
    (microsoft.public.windows.server.sbs)
  • Re: Trying to Move Group - SQL Instance Wont Start
    ... You can do a maintenance install and add the new nodes. ... "maintaining a failover cluster" for recovery from failure scenario 1. ... Senior SQL Infrastructure Consultant ... Microsoft SQL Server MVP ...
    (microsoft.public.sqlserver.clustering)
  • Re: Unable to Apply SP4 to SQL 2000 Cluster (new Node)
    ... While attempting to install SP4, it comes up immediately after I ... to be on one of the nodes that can bring SQL Server online and apply SP3a, ...
    (microsoft.public.sqlserver.clustering)
  • Re: Any help here???
    ... Well, for starters, I believe MDAC is unnecessary for .NET applications - as ... ADO.NET has its own SQL Server provider for data access. ... > trust me - all that's been done here was to install SP2 or upgrade of XP ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: how do I change the user install wizard to create user folder in different location?
    ... Some people read the instructions in such a way that they install both a new ... instance of sql, ... Never slight the SBS wizards. ... I reinstalled from scratch using the Dell OpenManage Server ...
    (microsoft.public.windows.server.sbs)