dotnet · benrr101 · Apr 24, 2025 · Dec 4, 2024 · Dec 4, 2024 · Dec 4, 2024
@@ -195,6 +195,44 @@ steps:
   displayName: 'Setup SQL Alias [Win]'
   condition: ${{parameters.condition }}
 
+- powershell: |
+    # Create Certificate
+    $computerDnsName = [System.Net.Dns]::Resolve($null).HostName
+    $certificate = New-SelfSignedCertificate -DnsName $computerDnsName,localhost -CertStoreLocation cert:\LocalMachine\My -FriendlyName test99 -KeySpec KeyExchange
+
+    # Get path to Private key (used later)
+    $keyPath = $certificate.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
+    $machineKeyPath = "$env:ProgramData\Microsoft\Crypto\RSA\MachineKeys\$keyPath"
+
+    # Add certificate to trusted roots
+    $store = new-object System.Security.Cryptography.X509Certificates.X509Store(
+        [System.Security.Cryptography.X509Certificates.StoreName]::Root,
+        "localmachine"
+    )
+
+    $store.open("MaxAllowed") 
+    $store.add($certificate) 
+    $store.close()
+
+    # Get SQL Server instances and add the Certificate
+    $instances = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL'
+    foreach ($instance in $instances){
+        $instance | ForEach-Object {
+        $_.PSObject.Properties | Where-Object { $_.Name -notmatch '^PS.*' } | ForEach-Object {
+                Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\$($_.Value)\MSSQLServer\SuperSocketNetLib" -Name Certificate -Value $certificate.Thumbprint.ToLower()
+
+                # Grant read access to Private Key for SQL Service Account
+                if ($($_.Name) -eq "MSSQLSERVER") {
+                    icacls $machineKeyPath /grant "NT Service\MSSQLSERVER:R"
+                } else {
+                    icacls $machineKeyPath /grant "NT Service\MSSQL`$$($_.Name):R"
+                }
-                Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\$($_.Value)\MSSQLServer\SuperSocketNetLib" -Name Certificate -Value $certificate.Thumbprint.ToLower()
-                
-                # Grant read access to Private Key for SQL Service Account
-                if ($($_.Name) -eq "MSSQLSERVER") {
-                    icacls $machineKeyPath /grant "NT Service\MSSQLSERVER:R"
-                } else {
-                    icacls $machineKeyPath /grant "NT Service\MSSQL`$$($_.Name):R"
-                }
+                $serviceAccount = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\$($_.Name)" -Name ObjectName).ObjectName
+                Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\$($_.Value)\MSSQLServer\SuperSocketNetLib" -Name Certificate -Value $certificate.Thumbprint.ToLower()
+                
+                # Grant read access to Private Key for SQL Service Account
+                icacls $machineKeyPath /grant "$serviceAccount:R"
-                Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\$($_.Value)\MSSQLServer\SuperSocketNetLib" -Name Certificate -Value $certificate.Thumbprint.ToLower()
-                
-                # Grant read access to Private Key for SQL Service Account
-                if ($($_.Name) -eq "MSSQLSERVER") {
-                    icacls $machineKeyPath /grant "NT Service\MSSQLSERVER:R"
-                } else {
-                    icacls $machineKeyPath /grant "NT Service\MSSQL`$$($_.Name):R"
-                }
+                $serviceAccount = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\$($_.Name)" -Name ObjectName).ObjectName
+                Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\$($_.Value)\MSSQLServer\SuperSocketNetLib" -Name Certificate -Value $certificate.Thumbprint.ToLower()
+                
+                # Grant read access to Private Key for SQL Service Account
+                icacls $machineKeyPath /grant "$serviceAccount:R"
+            }
+        }
+    }
+  displayName: 'Add SQL Certificate [Win]'
+  condition: ${{parameters.condition }}
+
 - powershell: |
     # You need to restart SQL Server for the change to persist
     # -Force takes care of any dependent services, like SQL Agent.
@@ -210,6 +248,7 @@ steps:
     }
 
     Restart-Service -Name "$serviceName" -Force
+    Restart-Service -Name MSSQLSERVER* -Force
 
   displayName: 'Restart SQL Server [Win]'
   condition: ${{parameters.condition }}

@@ -166,7 +166,6 @@ public void OpeningConnectionWitHNICTest()
             }
         }
 
-        [ActiveIssue("31754")]
         [ConditionalFact(nameof(AreConnStringsSetup), nameof(UseManagedSNIOnWindows), nameof(IsNotAzureServer), nameof(IsLocalHost))]
         [PlatformSpecific(TestPlatforms.Windows)]
         public void RemoteCertificateNameMismatchErrorTest()
@@ -175,6 +174,7 @@ public void RemoteCertificateNameMismatchErrorTest()
             {
                 DataSource = GetLocalIpAddress(),
                 Encrypt = SqlConnectionEncryptOption.Mandatory,
+                TrustServerCertificate = false,
                 HostNameInCertificate = "BadHostName"
             };
             using SqlConnection connection = new(builder.ConnectionString);
@@ -183,7 +183,6 @@ public void RemoteCertificateNameMismatchErrorTest()
             Assert.Equal(20, exception.Class);
             Assert.IsType<AuthenticationException>(exception.InnerException);
             Assert.StartsWith("Certificate name mismatch. The provided 'DataSource' or 'HostNameInCertificate' does not match the name in the certificate.", exception.InnerException.Message);
-            Console.WriteLine(exception.Message);
         }
 
         private static void CreateValidCertificate(string script)