This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 83%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEE%3C/text%3E%3C/svg%3E)
Hello,
SQL Edition and version : 2016 & ENT
Windows Edition : win 2019
we are stuck at an specific issue where by the Replication log reader agent job that tries to run the replication snapshot agent is failing with below error
we are using dedicated windows service accounts to configure the replication & the accounts used are provided with SYSADMIN rights on the database in addition to db_owner rights on Publisher and distribution database
Executed as user: ENT\XXXXXXX. A required privilege is not held by the client. The step failed.
since sysadmin is the super user rights we aren't certain if this is still an database privilege issue that stalls or since we are using windows 2019 /SQL 2016 advanced versions if there are any thing in additional to be provided on privilege area
Tried several blogs to find an solution but we are stumped we have given this application windows account the rights on local security policy for "Replace an process level token" , tried to run the SQL service under local system account and make it run under the windows service account and all to no avail its not working, limelight is the snapshot gets working when run under the SQL agent service windows account , other than the sysadmin rights for this SQL agent account the only difference we see is the SQL agent account has been added under local security policy
Allow log on locally
Lock pages in memory
Log on as a service
Perform Volume maintenance tasks
Ensured with systems engineer that application windows service account also has rights to Read and Write access to the Snapshot folder
& this same application service account is able to work well with same level of rights on DB on SQL2014/Windows 2012R2 DB server.
Command used :
-Publisher [XXXXXX] -PublisherDB [XXXXX] -Distributor [XXXXX] -DistributorSecurityMode 1 -Continuous -EncryptionLevel 1
as per msdn we see as in below so feel this couldnt be an TLS issue as the same command works when run under SQL agent service account but not under this application service account
Specifies that TLS is used, but the agent does not verify that the TLS/SSL server certificate is signed by a trusted issuer.
Let me know what we are missing any help would be valuable
Regards and Wishes
Eben
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 2%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESX%3C/text%3E%3C/svg%3E)
Hi @Eben Earnest ,
We have not received a response from you. Did the reply could help you? If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. By doing so, it will benefit all community members who are having this similar issue. Your contribution is highly appreciated.
Best regards,
Seeya
Just to add the credentials and the proxy are all set for the application account perfect & the SQL agent job also lists the proxy created on drop down too.. xp_cmd shell is also enabled
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 1%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETP%3C/text%3E%3C/svg%3E)
That error is a SQL Agent error, not really related to replication.
The error is always related to rights of the SQL Agent service account, or the proxy not being setup correctly.
If you are running proxy accounts, you must setup proxy for all the "Replication" proxies for this to work properly.
Hi Tom,
]
The job works when its made to run under the SQL agent service account but fails to run under the dedicated application service account that is expected to run the snapshot agent
Also the proxy are all enabled for the dedicated application service account when run below query & verified
SELECT * FROM msdb.dbo.sysproxies
Requirement is for the dedicated application service account that has the credential and proxy to manage replication and the dedicated SQL agent service account would be with DBA and its credentials would not be divulged.
Also both application service account and SQL agent service account have been added on sec policy "Replace a Process Level Token"
What has to be done more or any scripts to check any loop holes that i have in my proxies etc
Hi @Eben Earnest ,
This problem occurs because the Windows Service Control Manager cannot grant the required permissions to run agent jobs to the new domain account.
To resolve the problem, follow these steps:
-Set the SQL Server Agent service account in SQL Server Configuration Manager to the LocalSystem account.
-Stop and then start the SQL Server Agent service.
-Reset the SQL Server Agent service account in SQL Server Configuration Manager back to the original account.
-Stop and then start the SQL Server Agent service.
You can also reset the password of the SQL Server Agent service account in SQL Server Configuration Manager.
For more information, please see
SQL Server Agent jobs may fail after you change the SQL Server Agent service startup account by using the Windows Service Control Manager.
Best regards,
Seeya
If the response is helpful, please click "Accept Answer" and upvote it, as this could help other community members looking for similar queries.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.