SQL Server 2005 Agent not starting in a SQL 2005 failover cluster ?

Consider the following scenario:

• You configure a Microsoft SQL Server 2005 failover cluster to use "Kerberos constrained delegation" for a domain user account.Note Using "Kerberos constrained delegation" means that you use the "Trust this user for delegation to specified services only" option for the user.
• The domain user account does not have domain administrator permissions.
• Both the SQL Server service and the SQL Server Agent service are running under the domain user account.
• You applied SQL Server 2005 Service Pack 2 (SP2) Cumulative Update 3 or later cumulative updates.

In this scenario, you may be unable to start the SQL Server agent, and you may receive one of the following error messages:
Error message 1 - ! [298] SQLServer Error: 22022, CryptUnprotectData() returned error -2146892987, ‘The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.' [SQLSTATE 42000]
- ! [442] ConnConnectAndSetCryptoForXpstar failed (0).
- ? [098] SQLServerAgent terminated (normally)
Error message 2 - ! [298] SQLServer Error: 22022, CryptUnprotectData() returned error -2146893813, ‘Key not valid for use in specified state.' [SQLSTATE 42000]
- ! [442] ConnConnectAndSetCryptoForXpstar failed (0).
- ? [098] SQLServerAgent terminated (normally)

RESOLUTION

953752 (http://support.microsoft.com/kb/953752/LN/ ) Cumulative update package 9 for SQL Server 2005 Service Pack 2

WORKAROUND

In Windows Server 2003, to use constrained delegation in a clustered server environment for SQL Server 2005 with Cumulative Update 3 or a later Cumulative Update up to Cumulative Update 9 installed, follow these steps:

1. Make sure that the Active Directory domain functional level is set to Windows Server 2003. To verify this setting, open the Active Directory Users and Computers Microsoft Management Console (MMC), right-click the domain node, and then click Properties.Note If the Domain functional level field does not display Windows Server 2003, you cannot use constrained delegation. In this case, this method does not apply. The Delegation tab that is mentioned below is not available.
2. Use the SETSPN utility to create Service Principal Names (SPNs) for the MSSQLSvc service according to the directions in step 3 of the SQL Server Books Online "How to: Enable Kerberos Authentication on a SQL Server Failover Cluster" topic. You must perform this operation for all four SPN combinations. These combinations are as follows:
   • MSSQLSvc/NETBIOSName
   • MSSQLSvc/FQDN
   • MSSQLSvc/NETBIOSName:Port
   • MSSQLSvc/FQDN:Port
   For more information about how to obtain the SETSPN utility, click the following article number to view the article in the Microsoft Knowledge Base: 926027 (http://support.microsoft.com/kb/926027/ ) Updates to the Windows Server 2003 Support Tools are included in Windows Server 2003 Service Pack 2
3. Set delegation for the SQL Server 2005 service account. To do this, follow these steps:
   • Open the Active Directory Users and Computers MMC.
   • Locate the user account object that the SQL Server Service runs under, right-click the user account, and then click Properties.
   • In the Properties dialog box, click the Delegation tab.
   • Select the Trust this user for delegation to specified services only radio button.
   • Select either the Use Kerberos only radio button or the Use any authentication protocolradio button.
   • Click Add .
   • In the Add Services dialog box, click Users or Computers.
   • In the Select Users or Computers dialog box, type the user account that the SQL Server service is running under in the Object Name box, and then click OK.Note This is the account that you created in step 2.
   • Click Select All, and then click OK in the Add Services dialog box.
   • In the Properties dialog box, click OK.
4. Set delegation for the SQL Server virtual machine computer account. The account is the Network Name resource in the SQL Server cluster resource group. To do this, follow these steps:
   • Open the Active Directory Users and Computers MMC.
   • Locate the computer account object for the SQL Server virtual machine, right-click the computer account, and then click Properties.
   • In the Properties dialog box, click the Delegation tab.
   • Select the Trust this user for delegation to specified services only radio button.
   • Select either the Use Kerberos only radio button or the Use any authentication protocolradio button.
   • Click Add .
   • In the Add Services dialog box, click Users or Computers.
   • In the Select Users or Computers dialog box, type the user account that the SQL Server service is running under in the Object Name box, and then click OK.Note This is the account that you created in step 2.
   • Click Select All, and then click OK in the Add Services dialog box.
   • In the Properties dialog box, click OK.
5. Set delegation for each of the cluster node computer accounts in the cluster. To do this, follow these steps:
• Open the Active Directory Users and Computers MMC.
• Locate the computer account object for one of the cluster nodes, right-click the account, and then click Properties.
• In the Properties dialog box, click the Delegation tab.
• Select the Trust this user for delegation to specified services only radio button.
• Select the Use any authentication protocol radio button.
• Click Add
1. • In the Add Services dialog box, click Users or Computers.
   • In the Select Users or Computers dialog box, type the machine accounts for all the domain controllers in this domain separated by semicolons in the Object Name box, and then click OK
   • In the list of available services, select the cifs service and the protectedstorageservice for all domain controllers that are mentioned in step h, and then click OK in the Add Services dialog box.
   • In the Properties dialog box, click OK.
2. Restart all cluster nodes.
   
Hope this was useful.
Thanks
Huzeifa Bhai