MSSQL
The MyPass Connector for Microsoft SQL Server enables automated discovery, management, and rotation of native SQL Server logins across multiple instances from a single MyPass deployment. Installed automatically with the MyPass Gateway Server and licensed separately on a per-managed-account, per-system basis, the connector executes all operations from the Gateway using standard TCP/IP communication (default port 1433) with optional TLS encryption. Password changes are performed securely by calling a pre-deployed stored procedure in the target database that contains the actual reset logic (ALTER LOGIN), eliminating the need for agents on the SQL Server hosts. Configuration is centralized in the MyPass Administration Client, requiring only network connectivity, a dedicated service account with minimal privileges, and the one-time deployment of the vendor-supplied stored procedure — delivering a secure, auditable, and low-maintenance integration for native SQL Server accounts.
Unlike direct authentication methods, the MSSQL connector requires a pre-deployed stored procedure on the target database to execute password reset operations. This stored procedure must be installed once during initial setup and contains the actual ALTER LOGIN logic, ensuring secure and consistent password management across all SQL Server instances.
Quick Implementation Pointers
- Verify Network and Infrastructure Pre-requisites
- Gather MSSQL Configuration Parameters
- Set Up MSSQL Service Account
- Configure the target Microsoft SQL Server Instance
- Optional: Enable Encrypted Connections (TLS)
Network and Infrastructure Pre-requisites
To ensure successful integration, the following network and infrastructure components must be in place:
- MSSQL Environment: A functional Microsoft SQL Server instance with TCP/IP enabled and accessible, configured to support standard SQL authentication.
- MyPass Gateway Server: A Windows Server (2016 or later) to host the MyPass Gateway application, acting as a secure intermediary between the MyPass Password Manager Servernector.
- Network Connectivity: Open firewall ports for TCP 1433 between the Gateway Server and MSSQL instance/s.
- Stored Procedure: The password reset logic must be implemented as a stored procedure within the target MSSQL database. This procedure must be deployed before integration.
- System Account: A SQL Server account with sufficient privileges to execute password reset operations, including
ALTER LOGINcommands. - Encryption Configuration (Optional): If encryption is enabled, the MSSQL server must be configured to support encrypted connections.
Required System Parameters
The following parameters are required to configure the integration with your Microsoft SQL Server instance:
| Parameter | Description |
|---|---|
| Hostname | Fully qualified hostname, simple hostname, or IP address. |
| Port | Port MSSQL is listening on (e.g., 1433). |
| Instance | The MSSQL instance to connect to. |
| Database | The database containing the stored procedure. |
| Stored Procedure | Name of the stored procedure to execute. |
| Account | Account with privileges to execute ALTER LOGIN commands. |
| Password | Password for the specified account. |
| Encryption | Boolean flag to enable encryption (requires additional server config). |
These parameters are used to construct a valid MSSQL connection string. The Administration Client allows customization beyond these defaults. Sensitive data such as account credentials and connection strings are stored securely with strong encryption.
Additional Requirements
- A dedicated server or virtual machine within your infrastructure must be available to host the MyPass Gateway Server, meeting the hardware and software specifications provided in the MyPass Gateway Server installation guide.
- The Gateway Server must have network access to the MSSQL instances and be able to establish TCP connections on the configured port (typically 1433).
- Appropriate firewall rules and security policies must be configured to allow communication between the Gateway Server, MSSQL instances, and MyPass Cloud.
- The SQL Server account specified for integration must have sufficient privileges to execute the stored procedure and perform password reset operations.
MSSQL Service Account
The MSSQL service account is a critical component for MyPass Cloud's integration with Microsoft SQL Server. This dedicated SQL Server login, specified during the configuration process, must have sufficient privileges to execute the password reset stored procedure and perform ALTER LOGIN operations. It enables MyPass Cloud to perform essential operations such as password rotation and account management, ensuring seamless and secure interaction with your SQL Server environment.
Required Permissions
| Permission Type | Access Level | Purpose |
|---|---|---|
| Execute Stored Procedure | Execute | Allow execution of password reset procedure |
| ALTER LOGIN | Execute | Perform password changes on SQL Server logins |
| View Server State | Read | Query login information and status |
Granting Permissions
To grant the necessary permissions to the service account, follow these steps in SQL Server Management Studio (SSMS):
- Open SQL Server Management Studio and connect to your SQL Server instance.
- Navigate to Security → Logins.
- Right-click Logins and select New Login.
- Configure the login with SQL Server authentication and assign the sysadmin role (or create a custom role with minimal required permissions).
- Ensure the account has execute permissions on the password reset stored procedure.
Service Account Functions
Password Reset Operation
The Password Reset function is executed through a pre-deployed stored procedure in the target MSSQL database. This function performs the password reset process, provided the user has successfully completed the configured alternative authentication methods in MyPass Cloud.
The password reset operation works as follows:
- MyPass Gateway connects to the SQL Server instance using the service account credentials.
- The Gateway executes the stored procedure, passing the target login name and new password as parameters.
- The stored procedure performs the ALTER LOGIN command to change the password.
- The operation result is returned to MyPass Cloud for auditing and confirmation.
Required Permissions
The service account must have the following permissions:
Permission Access Description EXECUTE on stored procedure Execute Permission to run the password reset stored procedure ALTER ANY LOGIN Execute Ability to modify SQL Server logins (contained within stored procedure) VIEW SERVER STATE Read Query login information and account status
Account Discovery Operation
MyPass Cloud uses a discovery operation to identify and track SQL Server logins that should be managed. This discovery process queries the SQL Server instance to retrieve a list of logins based on the configured criteria.
Required Permissions
Permission Access Description VIEW SERVER STATE Read Query server-level information VIEW ANY DEFINITION Read Access login metadata and properties
Configuring MSSQL for MyPass Connector
The connector uses standard MSSQL connection strings and supports all MSSQL communication methods. However, MyPass has only been tested with TCP communication.
Steps to configure MSSQL for MyPass Connector
MSSQL Communication Settings
To configure TCP communication in MSSQL Server 2005 Express on Windows Server 2003:
- Open SQL Server Configuration Manager via
Start → Microsoft SQL Server 2005 → Configuration Tools → SQL Server Configuration Manager.
- Navigate to Protocols for [Instance], right-click TCP/IP, and select Properties.
- In the Protocol tab, set Enabled to
Yes.
- In the IP Addresses tab, under IP All, set the desired TCP Port (e.g.,
1433).
- Click OK and restart the MSSQL service.
MSSQL System Account Configuration
To configure the MSSQL system account:
- Open Microsoft SQL Server Management Studio and log in as
SAor another admin account.
- Navigate to
Security → Logins.
- Right-click Logins and select New Login.
- On the General page:
- Specify the Login name.
- Select SQL Server authentication and set a password.
- On the Server Roles page, assign the sysadmin role.
- Click OK to create the account.
MSSQL Stored Procedure Configuration
To configure the stored procedure:
- Open SQL Server Management Studio and log in as
SAor the newly created account.
- Navigate to
master → Stored Procedures.
- Right-click Stored Procedures and select New Stored Procedure.
- Paste the contents of
<installdir>\MyPassCorp\MyPassGateway\bin\ConnectorMSSQL\FPC_PasswordReset_ForDatabaseUsers.sql.
- Click ! Execute on the toolbar.
- Expand Stored Procedures, right-click FPC_ResetPassword, and select Execute.
- Fill in the required parameters and click OK.
If successful, the result will confirm that the MSSQL environment is ready for integration with the MyPass Password Manager solution.
Enabling Encrypted Connections (TLS)
- Install a valid certificate on the SQL Server (or use self-signed for testing).
- In SQL Server Configuration Manager → Protocols → Force Encryption = Yes (optional).
- Set Encryption = true in the connector configuration.
- Ensure the Gateway Server trusts the SQL Server certificate.
Licensing – Simple Summary
| What you pay for | How it’s calculated |
|---|---|
| Active Directory (required) | One fee per managed user |
| Each additional system (Microsoft SQL Server) | Additional fee per managed user × per SQL Server instance |
Real-world example
If you manage 1 000 users:
- Active Directory → 1 000 × base user license
-
- 5 SQL Server instances (e.g., Prod, Dev, Reporting × 2, DR) → + 5 000 × MSSQL connector user license (1 000 users × 5 instances)
- Total = base AD license + MSSQL connector license for 5 000 “user-instance” seats
Simple and fair - you only pay for the SQL Server native accounts that MyPass actually rotates.