How to run SQL server agent jobs with different AD accounts? - sql-server

Our SQL server agent already setup an AD account (e.g. MyCompany\Bob) for scheduled jobs. The logon setup is done via service.msc.
Recently, we have a new T-SQL job that connects to another SQL Server instance via linked server. Another AD account (MyCompany\Alice) is required for connection.
Is it possible to setup like that? Thanks

Related

SQL Server service and agent account permission changes do I need to restart service to take effect

I have a SQL Server service account: domain\sqlservice.
This account is running both SQL Server service and SQL Server Agent Service.
This account has read/write permission to a file share: \\fileserver\Path1, and from the SQL Server and SQL Server Agent jobs, we are able to write to this folder path using the service account (using master..xp_cmdshell. xp_cmdshell is enabled).
This permission got removed by mistake, now we have added it back.
I can use the service account domain\sqlservice to browse to \\fileserver\Path1 and create files and folders (using Windows Explorer), but SQL Server and SQL Server Agent jobs still could not.
I have restarted the SQL Server Agent service (I believe this is account used to access the file share when running the SQL Server Agent jobs).
But it still failed to access the path - I get an access denied error.
I think I will need to restart the SQL Server service to fix this issue (waiting for my maintenance window now).
I want to understand it better, can someone give me some hint on why SQL Server Agent job is related to the SQL Server services running account? And what is the relationship between SQL Server Agent job service account and SQL Server service account? Are we still utilize this account to access fileshare defined in the SQL Server Agent job?
Thank you all very much
It looks like it takes time for the service account to get updated.
So I rerun the task in 10 hours
and task runs fine.
So I guess you have two options.
wait for the token or something expire and renewed.
you can restart the service.
#Charlieface’s comment explains the reason:
Double check that SQL Server is definitely still running under that service account, as well as which account has now received permissions to the share. The permissions for xp_cmdshell depend on whether the session has sa rights, see learn.microsoft.com/en-us/sql/relational-databases/…. Quite why you are using xp_cmdshell is a different question: it has major security implications, and should probably be converted into a SQL Agent job written in Powershell.

SSIS - How to configure Database connection with alternate AD credentials

I have a question with regards to configuring database connections in SSIS to SQL server and using AD credentials other than the regular user account. Is this possible to do, or do i need to use a SQL user account?
Our IT department just recently went through a change and split our user account to have a regular account and admin account. Since then, one of our guy's is struggling with some SSIS packages as well as some PowerBI dashboards that he had created, since now his regular user account no longer has access to the databases.
I'm thinking that it is probably best just to create a SQL user account, but he wanted to try and configure it using his admin credentials. Just wondering what others usually do with respect to this?
By the way we're using SSIS 2014
Thanks
The normal way to do this is to configure the SSIS host process to run as the target account. There's no way to embed AD credentials in a connection string, like with SQL Auth.
So in the normal case where SQL Agent runs the SSIS packages, you configure the AD credentials as a SQL Server Credential, and create a SQL Agent Proxy. Then whether the Agent job launches DTEXEC.EXE directly, or calls the SSISDB stored procedures, the package execution will use the AD account of the Proxy, and your connections to SQL Server can use Integrated Security.

SQL Server - Migrate Agent Jobs to Azure

We're in the final phase of migrating our SQL Server on VM to Azure SQL Server. What is the most time-efficient approach to getting our existing SQL Server Agent Jobs out to Azure? I've noticed that inside of SSMS, when connected to an Azure SQL Server, the Agent does not exist - we were aware of this before migrating, but I have yet to have found whether there is an Azure service that replaces the SQL Server Agent Jobs functionality.
There are a number of options.
If you need timed execution of some data momement, Azure Data Factory can be a good replacement.
There is also an Azure Scheduler, that is often mentioned as an alternative. However, I believe that would work better on API's than directly on a database.
I think the best option is Azure automation and create a runbook that connects to your database and performs some action.
An interesting blog that details these options in more detail can be foond at: https://blogs.technet.microsoft.com/uktechnet/2016/02/05/is-sql-server-agent-missing-from-azure-sql-database/

SQL Agent Job running SSIS package using SQL Authentication

I am running SQL Server 2014
I am trying to set up a scheduled SQL Agent job that runs an SSIS package and I need it to use a SQL Authentication login in order to access all the applications/servers the SSIS package accesses.
I have created a Credential that is mapped to the SQL Authentication login and connected it to a Proxy which the SQL Agent runs as when accessing the SSIS package, however, the job fails with an error message:
Unable to start execution of step 1 (reason: Could not get proxy data for proxy_id = 1). The step failed.
I have confirmed that:
I can access all servers/applications using the SQL Authentication account
The SSIS package connections are configured for SQL Authentication
I can run the SSIS package manually using the SQL Authentication fine
All accessed SQL Server Databases are configured for both Windows AD and SQL authentication login
When I create the SQL Server Agent Job, the step that runs the SSIS package has an option for the SQL Server Authentication login but the option is greyed out and I cannot select it:
I feel like I am missing a very obvious step but it's eluding me, any assistance will be appreciated.
#oscar and #chuck are both correct SQL Agent jobs running SSIS packages cannot run in SQL Authentication mode they have to use Windows Authentication. The user that runs the agent job unless you specify otherwise is the SQL Agent service account. It is that service account and the SQL Service account on the server you are running it on that will need certain permissions. However, you can change which account it executes as per chuck's note. Of course depending on who many different servers you are passing credentials and what is being accessed you can also get into a kerberos double hop problem...... Trust me solving that last part not so fun but still doable.
However the thing is if you must use SQL Authentication you don't need a windows user at all. you can put the SQL Authentication credentials in your connection strings of the connection managers in SSIS package. The SQL Agent service account can handle any file access issues for you and your connection strings can pass the sql credentials. no double hop problem and easy. If you are worried about embedding credentials you should use a less privileged sql account but you can also encrypt them and store them with the package. There are also several ways of dynamically getting them from an encrypted state.

How does SQL Server Agent read SSIS Package Connection?

I have SSIS packages that have connections that use project params(only database and server), the actual login is set to windows authentication.
So when a SQL Server Agent runs that job step(package) how does it connect with windows authentication? Does it use it's own service account? If so as long as the service account has the same permissions as my windows account it shouldn't have issues right? All the objects in the SSIS packages are tables stored in that same server instance.
If I had external objects that use tables on different servers and such would it encounter issues then?
If the job owner is sysadmin and different server are in same domain it should be straight foward.
The secure way is to create a proxy on sql and give the Windows auth credentials. Then configured the package to run as "proxy defined".

Resources