I have a local SQL Server. My computer login is Domain\myName.
The local SQL Server instance allows me to sign in using Windows authentication. I am in logins as Domain\myName. I am using a third party app that creates a directory that only Domain\myName can access.
So I tried to create a credential for Domain\myName and then use a proxy to run a SQL Server Agent job that writes to that directory. However, when I right click on credentials, the only location that show up is <mycomputername>, so Domain\myName does not appear in the identity list.
How can I get Domain\myName to be able to run a job with the correct authorization to write to a directory?
Thanks
If you mean that SSMS dialog is not giving you a picker to select a Domain account, just use TSQL
USE msdb ;
GO
CREATE CREDENTIAL myNameCredential WITH IDENTITY = 'Domain\myName',
SECRET = 'G3$1o)lkJ8HNd!';
GO
-- creates proxy and assigns the credential
EXEC dbo.sp_add_proxy
#proxy_name = 'Proxy for myName',
#enabled = 1,
#description = 'Proxy for myName',
#credential_name = 'myNameCredential' ;
GO
-- grants the proxy "Proxy for myName" access to
-- the Powershell Scripting subsystem.
EXEC dbo.sp_grant_proxy_to_subsystem
#proxy_name = N'Proxy for myName',
#subsystem_id = 12 ;
GO
Create a SQL Server Agent Proxy - Using Transact-SQL
Note that the TSQL job step doesn't do a real local logon for the proxy account, so you'll have to use PowerShell or CMDEXEC.
Related
I am developing a web application which in production connects to an Azure database but in my local environment connects to a SQL Server running in Docker. I would like my local database to link to the Azure database so that I can easily copy data from production. I was able to successfully link via these commands:
EXEC sp_addlinkedserver
#server='remote',
#srvproduct='',
#provider='sqlncli',
#datasrc='mydb.database.windows.net',
#location='',
#provstr='',
#catalog='mydb';
EXEC sp_addlinkedsrvlogin
#rmtsrvname = 'remote',
#useself = 'false',
#rmtuser = 'my_username',
#rmtpassword = 'my_password';
EXEC sp_serveroption 'remote', 'rpc out', true;
...however although I can connect and am using the same username & password used by the app itself which works, I cannot see my objects in the dbo schema, only sys and INFORMATION_SCHEMA.
Why am I unable to see [remote].[mydb].[dbo].* objects when linking to a remote Azure database? I get this error when attempting to SELECT:
Msg 7314, Level 16, State 1, Line 1
The OLE DB provider "MSOLEDBSQL" for linked server "remote" does not contain the table ""mydb"."dbo"."my_table"". The table either does not exist or the current user does not have permissions on that table.
Have you looked at the table's permissions?
It appears to be a permissions problem. Your query is correct.
As a piece of advice, try connecting the server using a specific user who has been granted select permission on particular table/database.
GRANT select ON DATABASE::database_name TO username;
GO
Data from Azure sql database:
Output from Linked service:
We have a SSIS package which accesses database columns which are encrypted using Always Encrypted.
This does not work when triggering the SSIS package through a SQL job using a proxy user.
Failed to decrypt a column encryption key using key store provider 'mssql_certificate_store'
We have tried logging in to the server as the domain user and triggering the SSIS package manually and we don't receive this error. So it seems that there is some issue accessing the certs when a proxy user is activating the ssis package.
Code for the setup of the proxy user:
CREATE CREDENTIAL [SSIS Credential]
WITH IDENTITY = N'DOMAIN\service_ssis_user', SECRET = N'DomainPassword'
IF NOT EXISTS (SELECT name FROM sysproxies WHERE name = 'SSIS Package')
BEGIN
EXEC msdb.dbo.sp_add_proxy
#proxy_name = N'SSIS Package',
#credential_name = N'SSIS Credential', #enabled = 1
EXEC msdb.dbo.sp_grant_proxy_to_subsystem
#proxy_name = N'SSIS Package', #subsystem_id = 11
EXEC msdb.dbo.sp_grant_login_to_proxy
#proxy_name = N'SSIS Package',
#login_name = N'DOMAIN\service_ssis_user'
END
GO
The aim is to get the SSIS package running as the domain user and able to access the certificates associated with this user
Update:
The proxy user does not "login" as the user that I have created credentials for, it simply uses the security context of the user to run the command. So it does not load their windows user profile which would happen when logging in directly as the Domain User. And therefor the certs are not accessible when running via proxy. I dont know how to get around this issue however.
Windows user profile is not Loaded when a proxy account is used. As a result the certificates associated with the user are not accessible when running via proxy.
My current application uses very powerful credentials to access the SQL Server back-end database. I want to improve the security in my application by using an application role created.
For example, if I created one called app-role, with a password:
EXECUTE sp_addapprole #rolename = 'app-role', #password = `right pony duracell binderclip`
I want to enable the use of this application automatically during connection by specifying it in a connection string. I don't want to risk there being any places in the software that are accidentally not re-engineered to call:
EXECUTE sp_setapprole #rolename = 'app-role', #password = `right pony duracell binderclip`, #encrypt = 'odbc'
So obviously I want this to happen automatically during connection.
Bonus Chatter
The application roles feature was first added in SQL Server 2000.
Bonus Reading
How to to use SQL Server application role in my connection string
I try (for the first time) to create a user account on my SQL Azure database.
I have read in some blogs that I have to create these command lines
CREATE LOGIN login_name WITH PASSWORD = 'strong_password';
CREATE USER 'user_name' FOR LOGIN 'login_name';
And then
USE [Database];
GO
GRANT CONNECT TO login_name;
But, when I try to connect with this new account on my database, I have the message error 916
The server principal "login_name is not able to access the database "master" under the current security context.
I don't understand because the don't create my new user for the master but for a specific database in my SQL Azure environment (I have 5 databases in my SQL Azure by the way)
If you have any idea to help me, thanks in advance
When first logging in, unless a database is specified in the connection string, a login connects to its default database. If the database is not specified in the CREATE LOGIN statement, the system default of master is used.
To fix this, use this for your CREATE LOGIN:
CREATE LOGIN login_name WITH PASSWORD = 'strong_password',
DEFAULT_DATABASE = MyDatabase;
I'm trying to script a creation of SQL Server identity to be then used to execute SQL Server agent jobs via a proxy.
It looks as though I can only use a Windows account and thence I would have to provide its password in plain text. Seriously? There must be a better way to do this. I need this script to work on my team-mates' machines as well as mine:
USE [msdb]
CREATE LOGIN [proxy_login] WITH PASSWORD=N'passw0rd',
DEFAULT_DATABASE=[SSISConfig], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
CREATE CREDENTIAL [my_cred] WITH IDENTITY='proxy_login', SECRET='passw0rd'
EXEC msdb.dbo.sp_add_proxy
#proxy_name=N'My_Proxy',
#credential_name=N'my_cred',
#enabled=1
Error:
Msg 14720, Level 16, State 1, Procedure sp_verify_credential_identifiers, Line 69 [Batch Start Line 0]
The operation failed because credential '#credential_name' identity is not a valid Windows account
In ideal world I would like to use the SYSTEM_USER login for the credential without having to supply their password.
Yes your assumption is right, credentials cannot be created for SQL Server logins it can only be Domain users (visible from your SQL Server), and yes you have to pass the password when creating credentials.
Once credentials has been created one or more proxies can use them.
Typically proxies in SQL Server are used to facilitate cross domain processes. A process executing (probably SSIS job etc.) on DomainA\ServerA at run-time will access databases on DomainB\ServerB, The user account running the job on DomainA\ServerA must have access to DomainB\ServerB. Now in this case a proxy on DomainA\ServerA can be used with the credentials of a User, let say UserB from DomainB with access to ServerB etc. The proxy at run-time when reaches to DomainB will provide the credentials for UserB and the process can continue to run.
SQL Server Agent jobs which run via Proxy needs Credentials. These credentials will usually accept windows username-password.
Better way:
If you're concerned with the security aspect, I will suggest you create a Powershell utility which will prompt for windows username, password(star marked) and set it directly in credentials and create proxy out of that via sql query execution.
sample(.ps1 file):
# read from user input
$Winpwd = read-host "Enter windows Password for ""$(whoami)""" -AsSecureString ;
$BSTR=[System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Winpwd)
$Winpwd = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
#execute sql
Add-Content main.sql "CREATE CREDENTIAL SSISAdmin WITH IDENTITY = '$(whoami)', SECRET = '$Winpwd';"
Add-Content main.sql "GO"