Can't find NT SERVICE\MSSQLSERVER to give it Read privs on a cert

Question

I've got SQL Server 2016 happily running under the default account NT SERVICE\MSSQLSERVER. Now, though, I need to give that pseudo-account read priv on a newly installed SSL Certificate.

The pseudo-account exists here:

But is not findable by the Add User dialog box in mmc when managing the cert:

Is there a way to find it, or must I run SQL Server using an actual user account in this case?

score 1 · Answer 1 · answered Nov 21 '22 at 23:58

1

Use correct per-service SID to grant permissions and rights:

NT SERVICE\MSSQLSERVER
NT SERVICE\SQLSERVERAGENT

More information can be found here: https://learn.microsoft.com/en-us/sql/relational-databases/security/using-service-sids-to-grant-permissions-to-services-in-sql-server?view=sql-server-ver16

answered Nov 21 '22 at 23:58

J-M

1,930
1
11
17

Maybe I misunderstand something, but my problem is with `mmc`, not SQL Server. – RonJohn Nov 22 '22 at 16:09
Try putting `NT SERVICE\MSSQLSERVER` into "Object name" field. As per your screenshot you currently specified `MSSQLSERVER` – J-M Nov 22 '22 at 16:17
`NT SERVICE\MSSQLSERVER` was the first thing I tried. Plain old `MSSQLSERVER` was the second... – RonJohn Nov 22 '22 at 16:58
I can confirm J-Ms solution, which works on my 14.0.2047.8 standard edition. – Manu May 15 '23 at 11:35

Can't find NT SERVICE\MSSQLSERVER to give it Read privs on a cert

1 Answers1