This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 51%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
We noticed these events in Event viewer:
Log Name: Application
Source: Microsoft-SharePoint Products-SharePoint Foundation
Date: 28.8.2022 15.56.52
Event ID: 3760
Task Category: Database
Level: Critical
Keywords:
User: DOMAIN\SPServiceAppPoolAccount
Computer: frontendserver.domain.com
Description:
SQL Database 'Content_MySite_59' on SQL Server instance 'SPSQL' not found. Additional error information from SQL Server is included below.
Cannot open database "Content_MySite_59" requested by the login. The login failed.
Login failed for user 'DOMAIN\SPServiceAppPoolAccount'.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
<EventID>3760</EventID>
<Version>16</Version>
<Level>1</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x2000000000000000</Keywords>
<TimeCreated SystemTime="2022-08-28T12:56:52.931813100Z" />
<EventRecordID>1236246</EventRecordID>
<Correlation ActivityID="{366B5FA0-4763-609E-6C4E-432F1FB6E0D6}" />
<Execution ProcessID="8212" ThreadID="8268" />
<Channel>Application</Channel>
<Computer>frontendserver.domain.com</Computer>
<Security UserID="S-1-5-21-3521595049-301303566-333748410-24594" />
</System>
<EventData>
<Data Name="string0">Content_MySite_59</Data>
<Data Name="string1">SPSQL</Data>
<Data Name="string2">Cannot open database "Content_MySite_59" requested by the login. The login failed.
Login failed for user 'DOMAIN\SPServiceAppPoolAccount'.</Data>
</EventData>
</Event>
So the Service Application pool account DOMAIN\SPServiceAppPoolAccount is trying to open MySite content database Content_MySite_59, but fails because the account doesn't have permissions. Service App pool account should have SPDataAccess role for that database to login successfully.
MS documentation says:
SharePoint Service Application Pool account
The following SQL Server and database permissions are configured automatically:
This account must have read and write access to the associated service application database. Not sure how to confirm this, but I can tell that Service Application pool account has SPDataAccess role in all the associated SA databases where it is available in User Mapping list (+ SharePoint_Shell_Access role in Admin and Config databases)
This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role that is associated with the farm configuration database. OK
This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role that is associated with the SharePoint_Admin content database. OK
I found a similar case from SP2010: https://social.msdn.microsoft.com/Forums/en-US/cde6c88f-2204-4884-9dce-0f82effd02f4/service-app-pool-account-and-content-database-access?forum=sharepointgeneralprevious
I think this is exactly the same situation happening in our client's SP2016 farm. I also made a test farm (SPSE) and it is happening there also. Service application pool account not getting SPDataAccess role automatically to content databases.
I also tried to create a new database with the -DatabaseAccessCredentials parameter:
$Credential = Get-Credential
New-SPContentDatabase "SharePoint_CDB4" -DatabaseServer "SPSE" -WebApplication http://sharepoint.domain.com -DatabaseAccessCredentials $Credential
That didn't add the SPDataAccess role to the Service application pool account for "SharePoint_CDB4" either.
So the only thing that works is to grant SPShellAccess role to the Service application pool account for all content databases, but that seems to be overkill since it more permissions than is needed.
Hi anonymous user ,
Thank you for your question. We will give you an update as soon as possible. Thank you for your understanding and support.
Any news?
Hi anonymous user ,
I am not able to reproduce this issue. In this scenario, I would suggest you open a ticket with Microsoft for further help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Before I open a ticket, could you confirm that this scenario does not happen in your farm: 1. Create new content database. 2. Open SQL Management Studio 3. Navigate to Security > Logins > DOMAIN\ServiceAppPoolAccount <- right click and select Properties 4. Select User Mapping-tab and see if the content databases have a checkbox filled a) If no: You have reproduced the issue. B) If yes: See if the SPDataAccess role checkbox is filled in the "Database role membership"-list below. Here is a screenshot from my farm where content databases highlighted with yellow does not get that SPDataAccess role assigned automatically upon creation. The content database highlighted with green has SPShellAccess role granted for DOMAIN\svc-SPSVC account so thats the only content database that has SPDataAccess role assigned. I just want to be sure that you cannot reproduce this exact scenario, because I cannot understand what I am doing wrong since I've built this farm basically by this book: https://www.amazon.com/Deploying-SharePoint-2019-Configuring-Premises/dp/1484245253 ![244195-spdbpermissionissue.jpg][1] [1]: /api/attachments/244195-spdbpermissionissue.jpg?platform=QnA
I also created manually new database with the -DatabaseAccessCredentials parameter and afterwards looked from ULS logs anything that would indicate that it even tries to add that SPDataAccess role for the DOMAIN\ServiceAppPoolAccount:
$Credential = Get-Credential
New-SPContentDatabase "SharePoint_CDB6" -DatabaseServer "SPSE" -WebApplication http://sharepoint.domain.com -DatabaseAccessCredentials $Credential
In ULS logs I only found lines where it adds that role for the farm account and the web application pool account, but not a single line where it says it even tried to add that role for service application pool account.
Actually now I just realized the "extra" permissions that SPShellAccess adds in addition to the SPDataAccess-role are related to Project Server... am I right? By extra permissions I mean these: - PSDataAccess - PSReportingSchemaAdmin ![245523-image.png][1] In the beginning I thought that "PS" refers to PowerShell, but can you confirm that actually means Project Server? If that is correct then there should be no worries adding ShellAccess rights to Service application pool account since our client does not have Project Server installed. [1]: /api/attachments/245523-image.png?platform=QnA
Ok,
I found from official Project Server installation documents that PSDataAccess and PSReportingSchemaAdmin refers to Project Server and not to "PowerShell". So I don't have to worry about that.
I also found that I don't need to give SPShellAdmin rights to Service App Pool account to grant SPDataAccess role to content dababases, instead I can run this:
$WA = Get-SPWebApplication http://sharepoint.domain.com/
$WA.GrantAccessToProcessIdentity(“DOMAIN\ServiceAppPoolAccount”)
...which gives Full Control permission to the above webapplication and also adds these roles to all databases belonging to the above webapplication:
That command has to be ran everytime new databases are created, but that's not a problem.
You can mark this question answered.