Sql-server – No permissions to the certificate file when trying to restore a DB from a third party

permissionsrestoresql server

I am trying to restore a Db in SQL server 16. It is a developer version installed on windows 10 laptop. We have a backup file from a SaaS instance. We have moved to a new instance of the SaaS and this is our archive from the first instance. This is strictly for archiving purposes. That said, the only was to read this of course is with SQL Server.

Script:

use master ;
 -- drop master key encryption by password ='somepassword';

-- create   master key encryption by password ='somepassword';

create certificate BULLHORN14852_45764 from file 
    = 'C:\Program Files\Microsoft SQL Server\MSSQL13.LEVVEL\MSSQLBULLHORN14852_45764.cer'
with private key 
  (file='C:\Program Files\Microsoft SQL Server\MSSQL13.LEVVEL\MSSQLBULLHORN14852_45764.pvk',
decryption by password = 'somepassword')

I was able to create the master key encryption no problem. When I run the create certificate command I get the famous

"The certificate, asymmetric key, or private key file is not valid or does not exist; or you do not have permissions for it."

I am connected as the local administrator on windows. I have also granted permissions on the folders and the files.

NETWORK SERVICE account does have permission to the folder and the cert, pvk files.

When I look at the services and what the Logon as is I see the following.

SQL Server (LEVVEL) - logon as NT Service\MSSQL$LEVVEL

SQL Server (MSSQLSERVER) - logon as NT Service\MSSQLSERVER


SQL Server Agent (LEVVEL) - logon as NT Service\SQLAgent$LEVVEL

SQL Server Agent (MSSQLSERVER) - logon as NT Service\SQLSERVERAGENT

The granted permissions on the folder (and files ) are: NETWORK SERVICE and MSSQL$LEVEL. I can't find any user names starting with SQL or MSS or NT in order to add other users to the permissions.

I am not sure what I am missing.

I've been reading that these permissions above are not enough. I haven't administered a SQL DB in 15 years so I need some guidance. Any help would be greatly appreciated!

Rob.

Best Answer

It seems you have two SQL Server instances installed. LEVVEL and a default instance. Which one are we talking about? I.e., which one are you connected to?

Anyhow, both services uses a virtual service account, so privileges assigned to NETWORK SERVICE is irrelevant.

For the default instance, you should assign privileges to NT Service\MSSQLSERVER.

The the LEVVEL, you should assign privileges to NT Service\MSSQL$LEVVEL.

When you assign privileges, you need to type the above account name.

Related Solutions

Sql-server – What do I need to restore an encrypted MSSQL database

To put it simply, your mistake is in step 5. You need to backup the private key with the certificate. You will need to secure the password so you can use it to restore the certificate on the destination server.

It would be helpful for you to concentrate on learning more about the encryption hierarchy. The private key of the TDE certificate is the only key that can decrypt the database master key, and the DMK is a symmetric key that directly encrypts and decrypts pages in the TDE enabled database.

BACKUP CERTIFICATE mycert TO FILE = 'Path_to_file.cer'  
    WITH PRIVATE KEY ( FILE = 'path_to_file.pvk' ,   
    ENCRYPTION BY PASSWORD = 'password to encrypt the file path_to_file.pvk' );  
GO

SQL Server – Can’t Create Database on Volume Mounted as Folder (Error Msg 5123 & 1802)

Creating SQL Server Data files at the root of a volume is problematic, due to permissions issues. I always recommend creating a folder on the root of the volume, then placing data files inside that folder (this is also Microsoft's recommendation). Setting & verifying permissions at the root of the drive does not always work the same as setting permissions at the folder level.

When mounting the volume as a lettered drive, this means your data files would never go directly in D:\ but instead in D:\SomeFolder\. In your case, you are using a mount point where UserDb is the root of the volume. I'd suggest creating an additional folder inside your mount point: D:\...\Data\UserDb\SomeFolder\. Then, set permissions to make sure the SQL Server service account has full control for the SomeFolder directory.

Note that this guidance from Microsoft is still true:

Do not install SQL Server to the root directory of a mount point, always specify a subdirectory for all files. This has to do with how permissions are granted. If you must put files in the root of the mount point you must manually manage the ACLs/permissions.

And also this more explicit advice for database files specifically:

Warning: SQL Server does not support use of mount volume / mount point root directories for SQL Server databases.

Placing files directly in the root of the mount point means you'll have to manage permissions directly on every file to ensure they are correct. In the case of creating a new database (either from backup or from model), this can be problematic. As a result, it is best practice to never put files in the root of the mount point or drive. You can make it work, but it's not supported and not a good idea.

Best Answer

Related Solutions

Sql-server – What do I need to restore an encrypted MSSQL database

SQL Server – Can’t Create Database on Volume Mounted as Folder (Error Msg 5123 & 1802)

Related Question