March 6, 2013 at 3:42 pm
ddg8885 (10/20/2010)
I searched the error for a while and saw a lot of things about certificates differing between msdb and master. But I checked the certificates and they were identical.I compared my server to others, and noticed that the ##MS_AgentSigningCertificate## user was missing from the master database. Running the following query worked for me:
USE MASTER
CREATE USER [##MS_AgentSigningCertificate##] FOR LOGIN [##MS_AgentSigningCertificate##]
GO
GRANT EXECUTE TO [##MS_AgentSigningCertificate##]
go
I know this is old but wanted to thank you for posting a solution. I think I had a few things going on. Here is what I did:
1. (forgot to mention) First I followed the steps in KB article http://support.microsoft.com/kb/2000274
2. Added ##MS_AgentSigningCertificate## to master and granted EXEC
3. I also had a disabled guest User account in msdb so had to also issue this:
USE msdb;
GRANT CONNECT TO guest;
After that database listings and Agent Job listings started working in Object Explorer.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
May 6, 2013 at 4:59 pm
Tony Fountain (10/9/2009)
Ok, for what it's worth... I found out I can simply rerun the latest service pack exe and it will also correct this problem... go figure - so much simpler!
Tony,
How did you rerun the service pack? Don't you get "no update" error?
January 10, 2018 at 8:02 am
--https://support.microsoft.com/de-de/help/2000274/how-to-fix-permission-issues-when-moving-msdb-database-between-different-instances
--
use msdb
go
-- Backup the Agent certificate from the remote server to a file
BACKUP CERTIFICATE [##MS_AgentSigningCertificate##] TO FILE = 'd:\ServerInstall\MS_AgentSigningCertificate.remote_server.cer'
go
use master
go
-- re-create the agent certificate on master
-- Note: Because we are making these changes using a regular user and not as part of setup, the name
-- cannot include the ## token.
-- Creating a regular certificate in this case should be the equivalent as we only need it to derive a SID
CREATE CERTIFICATE [MS_AgentSigningCertificate.remote_server] FROM FILE = 'd:\Serverinstall\MS_AgentSigningCertificate.remote_server.cer'
go
-- Recreate the user mapped to the cert and grant the same permissions that the regular certificate needs.
CREATE USER [MS_AgentSigningCertificate.remote_server] FROM CERTIFICATE [MS_AgentSigningCertificate.remote_server]
go
GRANT EXECUTE TO [MS_AgentSigningCertificate.remote_server]
go
May 21, 2021 at 4:53 pm
I'm using a Azure SQL managed instance so couldn't tinker with the certs even though they looked different.
I was granting permissions to an AD group but got around this error by creating an individual login for the user in question (yes not ideal but I only have 1 user who needs this permission) and granted the following:
USE [master]
GO
CREATE USER [user@yourdomain.com] FOR LOGIN [user@yourdomain.com]
go
GRANT EXECUTE ON master.dbo.xp_sqlagent_enum_jobs TO [user@yourdomain.com]
GRANT EXECUTE ON master.dbo.xp_sqlagent_is_starting TO [user@yourdomain.com]
GRANT EXECUTE ON master.dbo.xp_sqlagent_notify TO [user@yourdomain.com]
GRANT EXECUTE ON master.dbo.sp_helplogins TO [user@yourdomain.com]
GO
USE [msdb]
go
CREATE USER [user@yourdomain.com] FOR LOGIN [user@yourdomain.com]
GO
ALTER ROLE [SQLAgentOperatorRole] ADD MEMBER [user@yourdomain.com]
ALTER ROLE [SQLAgentReaderRole] ADD MEMBER [user@yourdomain.com]
ALTER ROLE [SQLAgentUserRole] ADD MEMBER [user@yourdomain.com]
ALTER ROLE [db_datareader] ADD MEMBER [user@yourdomain.com]--may not be needed
ALTER ROLE [db_datawriter] ADD MEMBER [user@yourdomain.com]--may not be needed
GO
Viewing 4 posts - 16 through 18 (of 18 total)
You must be logged in to reply to this topic. Login to reply
This website stores cookies on your computer.
These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media.
To find out more about the cookies we use, see our Privacy Policy