1

We'd like to make use of virtual accounts (https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd548356(v=ws.10)?redirectedfrom=MSDN#using-virtual-accounts) to run some of our applications on our own servers.

It seems easy enough to do, however: some of our applications need access to certain certificates in order to communicate with other (remote) services.

I've installing certificates to the user store for a virtual account, and I've also tried granting private key access to a cert in the local machine account, both of which seem to have failed.

Is what I'm trying to do impossible?

Richiban
  • 113
  • 4

1 Answers1

1

You need to install the certificates in the machine store, and then give permissions to the virtual accounts to use them.

Example for SQL Server (running as NT Service\MSSQLSERVER):

enter image description here

enter image description here

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • Thanks Massimo, but this doesn't work for me... I get `An object named "NT Service\MSSQLSERVER" cannot be found. Check the selected object types and location for accuracy and ensure that you typed the object name correctly, or remove this object from the selection.`. I can see my SQL service running as `NT Service\MSSQLSERVER` the same way you can. – Richiban Jul 08 '20 at 16:33
  • When adding the permission, make sure you look for users and groups in the local computer, not in the domain; if the machine is domain joined, the domain is selected by default. – Massimo Jul 08 '20 at 17:04
  • Also, prior to Windows Server 2016, you need to explicitly select "service accounts" as the object type. – Massimo Jul 08 '20 at 17:12