Score:1

Can't find NT SERVICE\MSSQLSERVER to give it Read privs on a cert

id flag

I've got SQL Server 2016 happily running under the default account NT SERVICE\MSSQLSERVER. Now, though, I need to give that pseudo-account read priv on a newly installed SSL Certificate.

The pseudo-account exists here:

Windows knows about it here...

But is not findable by the Add User dialog box in mmc when managing the cert:

but not here.

Is there a way to find it, or must I run SQL Server using an actual user account in this case?

Score:1
us flag

Use correct per-service SID to grant permissions and rights:

  • NT SERVICE\MSSQLSERVER
  • NT SERVICE\SQLSERVERAGENT

More information can be found here: https://learn.microsoft.com/en-us/sql/relational-databases/security/using-service-sids-to-grant-permissions-to-services-in-sql-server?view=sql-server-ver16

RonJohn avatar
id flag
Maybe I misunderstand something, but my problem is with `mmc`, not SQL Server.
Jevgenij Martynenko avatar
us flag
Try putting `NT SERVICE\MSSQLSERVER` into "Object name" field. As per your screenshot you currently specified `MSSQLSERVER`
RonJohn avatar
id flag
`NT SERVICE\MSSQLSERVER` was the first thing I tried. Plain old `MSSQLSERVER` was the second...
Manu avatar
us flag
I can confirm J-Ms solution, which works on my 14.0.2047.8 standard edition.
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.