SQL Server: accessing CSV files as linked server with Windows authentication

SQL Server: accessing CSV files as linked server with Windows authentication - sql-server

Wish you all a happy new year!
I periodically import data from CSV files downloaded from a web application. I have created the linked server LS_Text for the local path with the CSV files. I import the file content with INSERT INTO ... SELECT queries in a stored procedure.
This works fine as long as I log in to SSMS as SA. But if I log in with my Windows authentication, I get the error
Cannot initialize the data source object of OLE DB provider
"Microsoft.ACE.OLEDB.12.0" for linked server "LS_Text".
I plan to import the files by an application that calls the stored procedure. So Windows authentication has to work.
What means the error message? The same error message results if the file path does not exist. So it looks as if SQL Server or the OLEDB provider can't see the folder with the CSV files. But I have saved the files myself with my credencials.
I have created the linked server with the following batch:
EXEC sp_addlinkedserver #server = N'LS_Text', #srvproduct=N'CSVFLATFILE',
#provider=N'Microsoft.ACE.OLEDB.12.0', #datasrc=N'C:\Trans', #provstr=N'Text;HDR=Yes';
EXEC sp_addlinkedsrvlogin #rmtsrvname = N'LS_Text', #useself = 'false',
#locallogin = NULL, #rmtuser = NULL, #rmtpassword = NULL;
EXEC sp_MSset_oledb_prop N'Microsoft.ACE.OLEDB.12.0', N'AllowInProcess', 1;
As far as I understand, #useself = 'false', #rmtuser = NULL, #rmtpassword = NULL means that the linked server can be accessed without login and password. I have tried all sort of other combinations, yet without success.
Articles found on Google for this error message deal with OPENROWSET rather than linked server. Or with ACE driver configuration. But this is not the issue since it works as SA.
So how can I query the CSV files with Windows authentication? Any hint is appreciated.

Perhaps this is not a full answer, but it should hopefully help you debug this kind of issue better yourself. Since, as you mention, it works as sa, the likely problem is related to the user/login mapping. There's an example on the doc page sp_addlinedsrvlogin doc describing how to try a specific Windows login. That might be worth trying for your credentials to see if that works. Second, there are ways to delve into what is happening in the server's code path to load and use the provider. A reasonable blog post can be found here which is about talking to Oracle but the important content is about how to set up trace events for linked servers and see what is happening once you start trying to execute your query. (linked server vs. openrowset to a linked server should not matter, but please note that the term openrowset was overloaded in SQL to allow different code paths including some that don't directly go through OLE/DB or not through this specific OLE/DB provider, as David mentions in the comments to your question). So, tracing the actions before the error may point out a spot where things have failed differently in your windows login case vs. the sa/admin path. Finally, as the Jet (now ACE) provider is fundamentally a DLL that gets loaded into the SQL Server process and then does file system operations to try to load a file, it may be valuable to just use procmon to monitor the process and see if there is some operation that is failing (such as reading a registry key or opening a file inside the provider). It doesn't seem to be the most likely problem given that sa works for you, but it may be a useful tool.
You also asked about the error message. I'll try to explain. (I wrote the original Jet OLE/DB provider that was later renamed to ACE after I changed teams). In OLE/DB, there are COM interfaces that conceptually "live" on 4 main internal classes. You can see this documented here in the OLE/DB programmer's guide. The Data Source object is the top-most object and it means somewhat different things to different data sources. The second-level concept is a "session". In Jet/ACE, these two concepts are not really different as you just have a connection to a file, but in SQL Server and other server things, the data source object is a connection to a server and the session is an individual connection to that server. The error you are getting is saying that the initial connection/authentication to the provider is failing. It means one of N things, but I'd start with examining "the mapping from SQL's login to the login for Jet/ACE is not working properly".
net-net - if you can load CSVs through the normal paths (openrowset(BULK + CSV format), your life is probably going to be better in the long-run as David suggests.
Best of luck debugging your problem whatever path you pick.

Related

Bulk Insert failed when executed from remote client but success on local

Please find the diagram as below for my issue:
I have 3 servers in the same domain, there is a SQL Server instance A (it's windows service run under domain\User1), In this instance, we have a Stored Procedure used for BULK INSERT a text file from a network shared folder in server C, the domain\User1 has full permissions on this folder.
My issue is: The Stored Procedure runs ok (green arrow) when connecting by SSMS in its (server A). But it failed when I change to SSMS in server B (log in by the same domain\User1 to the same Instance A). The error is "Access denied" to the text file (red arrow). Does the client have a role in this? I think the client does not matter, the file reading is done from the server (by the user that run Instance A service)
Note: If I connect Instance A from SSMS B with SQL Logon User (not windows account), the stored procedure works fine.
Could anyone give me some advice and sorry for my bad English

This is just a link answer but hopefully it helps.
BTW I commend you for taking the time to analyse the issue to the extent of drawing a diagram. This is far higher quality than most questions on here.
I believe you are running into a double hop issue. I searched everywhere for the BULK INSERT permission model and finally found this https://dba.stackexchange.com/questions/189676/why-is-bulk-insert-considered-dangerous
which says this about using BULK INSERT:
When accessing SQL Server via a Windows Login, that Windows account
will be impersonated (even if you switch the security context using
EXECUTE AS LOGIN='...') for doing the file system access
and this
when accessing SQL Server via a SQL Server Login, then the external
access is done in the context of the SQL Server service account
When you have issues with windows authentication and there is three servers and impersonation, it's often a double hop issue.
This may help you with that:
https://dba.stackexchange.com/questions/44524/bulk-insert-through-network
Which in turn references this:
https://thesqldude.com/2011/12/30/how-to-sql-server-bulk-insert-with-constrained-delegation-access-is-denied/

Cannot See Stored Procedure on Linked Server

First, I know the syntax of calling a procedure on a linked server and I am familiar with the RPC and RPC Out server options at a basic level. What I am being told is that a procedure I created cannot be seen by navigating the tree of the linked server.
One caveat is I do not have access to the server where this person is working which is linked to the server on which I have the procedure - I hope that is clearly stated. At this time he is getting the "not configured for RPC" error on execution and I have told him to check the linked servers options. So ultimately, do the RPC linked server options control whether the procedure can be seen?
I've been told that other views can be seen. Also, I am confident it is not a permissions issue. The user involved has access to a role which has access to my procedure.
Thank you for your time.

In the Linked Server, Properties, Server Options there are two RPC settings.
Set them both to true.
What do you mean by do not have access?
You cannot Connect to that server?
That is how I tested this.
Connect to any server, create a Linked Server back to yours, and test.

This is true:
In the Linked Server, Properties, Server Options there are two RPC settings.
Set them both to true.
You also need to verify that the credentials used inside the linked server connection has rights on the linked server.
Grant connect, and access to the database that has the stored procedures that you need access too. You will then grant execute to the procedures you need to run.
If you have connection issues, open SSMS using the credentials you have used to create the linked server on the database server you are trying to link from and verify connectivity and database access. If you can see the objects your after, then the linkedserver connection is the problem. Try creating a new one and see if you have better luck that way.

SQL Server linked server error 7303 to Access database

I've performed multiple searches and read numerous pages and tried loads of different configurations and nothing seems to solve a nuisance problem we have. We have a SQL server (2008 R2 v10.50.4000) that has several linked servers to several different access databases on a different server. They are all set up using UNC paths and they work...for a time.
At some point, something happens and then we can no longer access the databases and the only way I have found to solve this is to restart the SQL server service, which obviously isn't ideal in a production environment. This is the exact error message we get when we try to access it:
OLE DB provider "Microsoft.ACE.OLEDB.12.0" for linked server "HIDDEN" returned message "The Microsoft Access database engine cannot open or write to the file '\servername\path01\path02\path03\databasename.mdb'. It is already opened exclusively by another user, or you need permission to view and write its data.".
Yet it works absolutely fine again if I restart the SQL Server service, so I know the settings are correct. I strongly suspect it has something to do with the Microsoft ACE driver because they all (the Access database linked servers) stop working at the same time - even though they all look at different files.
At this point I'm willing to try anything.

Microsoft OLE DB Provider for SQL Server error '80040e09'

I am having to modify an old web project that us using classic asp. There are actually 2 different projects that are clones of each other, they just point to different databases.
I modified the code from the first project (asp, db, stored procs etc.) and it all works great.
I then copied all that code to the other project since they are clones. All works just fine there too. I can execute the stored procs in query analyzer and all the data comes back as expected and it shows up on the display asp pages.
When i hit the edit button on the page I get the "Microsoft OLE DB Provider for SQL Server error '80040e09'" and it shows the select part of the query in the error window.
I dont get anything about permissions etc.. If I view the page source the data is actually in there. I am really confused as to what is going on.
Anyone have any suggestions or things to look for.
Thanks

This appears to be a permissions error based on the usual meanings of this error code.
I would manually log in to the database using the same credentials you have configured in your application's connection string. Then run the same query and see what happens.

Problem calling stored procedure from another stored procedure via classic ASP

We have a classic ASP application that simply works and we have been loathe to modify the code lest we invoke the wrath of some long-dead Greek gods.
We recently had the requirement to add a feature to an application. The feature implementation is really just a database operation requires minimal change to the UI.
I changed the UI and made the minor modification to submit a new data value to the sproc call (sproc1).
In sproc1 that is called directly from ASP, we added a new call to another sproc that happens to be located on another server, sproc2.
Somehow, this does not work via our ASP app, but works in SQL Management Studio.
Here's the technical details:
SQL 2005 on both database servers.
Sql Login is authenticating from the ASP application to SQL 2005 Server 1.
Linked server from Server 1 to Server 2 is working.
When executing sproc1 from SQL Management Studio - works fine. Even when credentialed as the same user our code uses (the application sql login).
sproc2 works when called independently of sproc1 from SQL Management Studio.
VBScript (ASP) captures an error which is emitted in the XML back to the client. Error number is 0, error description is blank. Both from the ADODB.Connection object and from whatever Err.Number/Err.Description yields in VBScript from the ASP side.
So without any errors, nor any reproducibility (i.e. through SQL Mgmt Studio) - does anyone know the issue?
Our current plan is to break down and dig into the code on the ASP side and make a completely separate call to Server 2.sproc2 directly from ASP rather than trying to piggy-back through sproc1.

Have you got set nocount on set in both stored procedures? I had a similar issue once and whilst I can't remember exactly how I solved it at the moment, I know that had something to do with it!

You could be suffering from the double-hop problem
The double-hop issue is when the ASP/X page tries to use resources that are located on a server that is different from the IIS server.
Windows NT Challenge/Response does not support double-hop impersonations (in that once passed to the IIS server, the same credentials cannot be passed to a back-end server for authentication).
You should verify the attempted second connection using SQL Profiler.
Note that with your manual testing you are not authenticating via IIS. It's only when you initiate the sql via the ASP/X page that this problem manifests.
More resources:
http://support.microsoft.com/kb/910449
http://support.microsoft.com/kb/891031
http://support.microsoft.com/kb/810572

I had a similar problem and I solved it by setting nocount on and removing print commands.

My first reaction is that this might not be an issue of calling cross-server, but one of calling a second proc from a first, and that this might be what's acting differently in the two different environments.
My first question is this: what happens if you remove the cross-server aspect from the equation? If you could set up a test system where your first proc calls your second proc, but the second proc is on the same server and/or in the same database, do you still get the same problem?
Along these same lines: In my experience, when the application and SSMS have gotten different results like that, it has often been an issue of the stored procedures' settings. It could be, as Luke says, NOCOUNT. I've had this sort of thing happen from extraneous PRINT statements in the code, although I seem to remember the PRINTed value becoming part of the error description (very counterintuitively).
If anything is returned in the Messages window when you run this in SSMS, find out where it is coming from and make it stop. I would have to look up the technical terms, but my recollection is that different querying environments have different sensitivities to "errors", and that a default connection via SSSM will not throw an error at certain times when an ADO connection from a scripting language will.
One final thought: in case it is an environment thing, try different settings on your ASP page's connection string. E.g., if you have an OLEDB connection, try ODBC. Try the native and non-native SQL Server drivers. Check out what connection string options your provider supports, and try any of them that seem like they might be worth trying.

Example code might help :) Are you trying to return two tables from the stored procedure; I don't think ADO 2.6 can handle multiple tables being returned.

I did consider that (double-hop), but what is the difference between a sproc-in-a-sproc call like I am referring to vs. a typical cross-server join via INNER JOIN? Both would be executed on Server1, using the Linked Server credentials, and authenticating to Server 2.
Can anyone confirm that calling a sproc cross-server is different than doing a join on data tables? And why?
If the Linked Server config is a sql account - is that considered a double-hop (since what you refer to is NTLM double-hops?)
In terms of whether multiple resultsets are coming back - no. Both Server1.Sproc1 and Server2.Sproc2 would be "ExecuteNonQuery()" in the .net world and return nothing (no resultsets and no return values).

Try to check the permissions to the database for the user specified in the connection string.
Use the same user name in the connection string to log in to the database while using sql mgmt studio.
create some temporary table to write the intermediate values and exceptions since it can be a effective way of debugging your application.

Can I just check: You made the addition of sproc2? Prior to that it was working fine for ages.
Could you not change where you call sproc2 from? Rather than calling it from inside sproc1, can you call it from the ASP? That way you control the authentication to SQL in the code, and don't have to rely on setting up any trusts or shared remote authentication on the servers.

How is your linked server set up? You generally have some options as to how it authenticates to the remote server, which include logging in as the currently logged in user or specifying a SQL login to always use. Have you tried setting it to always use a specific account? That should eliminate any possible permissions issues in calling the remote procedure...

Develop Reference

c reactjs sql-server angularjs arrays wpf database batch-file google-app-engine silverlight