Consider the following scenario:

• You have an instance of  SQL Server 2005  or SQL Server 2008 or a SQL Server 2008 R2 that is hosted on a system that is running either Windows Server 2008 or a Windows  Server 2008 R2 or a Windows Vista or a Windows 7 operating system
• You have configured SSL encryption for your SQL Server by manually entering the Thumbprint of a certificate (For example, using the instructions in the blog post: Enabling Certificate for SSL on a SQL Server 2005 Clustered Installation) into the Certificate value under the following registry key:
  HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\<instance>\MSSQLServer\SuperSocketNetLib

In this scenario, your SQL Server may fail to start and the following messages are logged in the SQL Server Errolog:

2010-04-16 18:56:31.48 Server      Error: 17182, Severity: 16, State: 1.
2010-04-16 18:56:31.48 Server      TDSSNIClient initialization failed with error 0xd, status code 0x38.
2010-04-16 18:56:31.49 Server      Error: 17182, Severity: 16, State: 1.
2010-04-16 18:56:31.49 Server      TDSSNIClient initialization failed with error 0xd, status code 0x1.
2010-04-16 18:56:31.51 Server      Error: 17826, Severity: 18, State: 3.
2010-04-16 18:56:31.51 Server      Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.
2010-04-16 18:56:31.54 Server      Error: 17120, Severity: 16, State: 1.
2010-04-16 18:56:31.54 Server      SQL Server could not spawn FRunCM thread. Check the SQL Server error log and the Windows event logs for information about possible related problems. 

You can use either of the following resolutions:

• Avoid copying leading characters from the Certificates snap-in in MMC, when you copy the Thumbprint value of a certificate.
• Use the Certutil tool instead of the certificates snap-in in MMC to export the certificate to a text file and then copy the Thumbprint value of the required certificate from the text file. The usage is shown below:
  
  To view the content of computer's Current User certificate store type the following at the command prompt: certutil -store -user my
  To view the content of computer's Local Computer certificate store type the following at the command prompt: certutil -store my 

You can direct the output of the above command to a text file using the following at an administrative command prompt on Vista based operating systems: certutil  –store my > cert.txt

The thumbprint can be located in the line that starts with "Cert Hash(sha1)"
For example: Cert Hash(sha1): e7 02 4b 42 c4 04 fd 44 8c ec 21 f1 91 76 5c b7 c3 ad 1d 55

You can then copy this value (without spaces - for the above example it will be e7024b42c404fd448cec21f191765cb7c3ad1d55) to the Certificate value under the following registry key:  HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\<instance>\MSSQLServer\SuperSocketNetLib 

A status code 0x38 in error message 17182 means that SQL Server experienced an error during the initialization of SSL. See http://blogs.msdn.com/sql_protocols/archive/2006/01/10/511330.aspx for more details.

The return code 0xd denotes OS error 0xd (13) which translates to “The data is invalid"

The above error 17182 "TDSSNIClient initialization failed with error 0xd, status code 0x38" occurs specifically because of the fact that the string under Certificate value cannot be properly converted back to a valid thumbprint of the certificate.

Note:  This GUI issue with Certificates snap-in does not occur on older versions of Windows (e.g. Windows XP, Windows Server 2003), as they do not use a rich edit control in the Certificates snap-in

To check whether you are running into the issue documented in this article you can use the following procedure:

1. Open regedit and navigate to the following registry key and export the key to SSLKey.reg file:
   HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\<instance>\MSSQLServer\SuperSocketNetLib
2. Open the SSLKey.reg file from Step 1 using Notepad and using the Save As dialog box in the File menu, click ANSI in the Encoding list, and then click Save.
3. If you get the warning below, proceed to Step 3 by clicking OK.
   "This file contains characters in Unicode format which will be lost if you save this file as an ANSI encoded text file. To keep the Unicode information, click Cancel below and then select one of the Unicode options from the Encoding drop down list. Continue?"
4. Close the SSLKey.reg file and re-open it using Notepad.
5. If you now see a questions mark or any other invalid character in the thumbprint of your certificate, it is an indication that you are probably running into the issue documented in this article:
   
   An example entry may look similar to the following:
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\SuperSocketNetLib]
   "Certificate"="?b009d02038431da332f095b4ea6a126f4f5c7d18"

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use (http://go.microsoft.com/fwlink/?LinkId=151500) for other considerations.