I am running SQL Server 2014
I am trying to set up a scheduled SQL Agent job that runs an SSIS package and I need it to use a SQL Authentication login in order to access all the applications/servers the SSIS package accesses.
I have created a Credential that is mapped to the SQL Authentication login and connected it to a Proxy which the SQL Agent runs as when accessing the SSIS package, however, the job fails with an error message:
Unable to start execution of step 1 (reason: Could not get proxy data for proxy_id = 1). The step failed.
I have confirmed that:
I can access all servers/applications using the SQL Authentication account
The SSIS package connections are configured for SQL Authentication
I can run the SSIS package manually using the SQL Authentication fine
All accessed SQL Server Databases are configured for both Windows AD and SQL authentication login
When I create the SQL Server Agent Job, the step that runs the SSIS package has an option for the SQL Server Authentication login but the option is greyed out and I cannot select it:
I feel like I am missing a very obvious step but it's eluding me, any assistance will be appreciated.
#oscar and #chuck are both correct SQL Agent jobs running SSIS packages cannot run in SQL Authentication mode they have to use Windows Authentication. The user that runs the agent job unless you specify otherwise is the SQL Agent service account. It is that service account and the SQL Service account on the server you are running it on that will need certain permissions. However, you can change which account it executes as per chuck's note. Of course depending on who many different servers you are passing credentials and what is being accessed you can also get into a kerberos double hop problem...... Trust me solving that last part not so fun but still doable.
However the thing is if you must use SQL Authentication you don't need a windows user at all. you can put the SQL Authentication credentials in your connection strings of the connection managers in SSIS package. The SQL Agent service account can handle any file access issues for you and your connection strings can pass the sql credentials. no double hop problem and easy. If you are worried about embedding credentials you should use a less privileged sql account but you can also encrypt them and store them with the package. There are also several ways of dynamically getting them from an encrypted state.
Related
For more than a year we have a stable job executed in SQL Server-Agent. The job (designed in SSIS) is basically the following:
Connect to a SSAS DB via Power Query Editor and get some data from a
Cube -> Write it into a SQL Server DB.
When I execute this Job in SSIS, everything works fine. I can connect to SSAS via "Username / PW" Authentification kind. (The other method would be windows, but that does not work).
As I said, this job is executed on Server via Job Agent for more than a year.
However, since last week, we get the following error message and the job cannot be executed anymore:
MYPACKAGE:Error: AnalysisServices: Unable to obtain authentication token using the credentials provided. If your Active Directory tenant administrator has configured Multi-Factor Authentication or if your account is a Microsoft Account, please remove the user name and password from the connection string, and then retry. You should then be prompted to enter your credentials.
I tried a lot of things but it will not work.
I am wondering why it works on SSIS on my local machine but not on the server.
Do you have any idea?
I have a SQL Server service account: domain\sqlservice.
This account is running both SQL Server service and SQL Server Agent Service.
This account has read/write permission to a file share: \\fileserver\Path1, and from the SQL Server and SQL Server Agent jobs, we are able to write to this folder path using the service account (using master..xp_cmdshell. xp_cmdshell is enabled).
This permission got removed by mistake, now we have added it back.
I can use the service account domain\sqlservice to browse to \\fileserver\Path1 and create files and folders (using Windows Explorer), but SQL Server and SQL Server Agent jobs still could not.
I have restarted the SQL Server Agent service (I believe this is account used to access the file share when running the SQL Server Agent jobs).
But it still failed to access the path - I get an access denied error.
I think I will need to restart the SQL Server service to fix this issue (waiting for my maintenance window now).
I want to understand it better, can someone give me some hint on why SQL Server Agent job is related to the SQL Server services running account? And what is the relationship between SQL Server Agent job service account and SQL Server service account? Are we still utilize this account to access fileshare defined in the SQL Server Agent job?
Thank you all very much
It looks like it takes time for the service account to get updated.
So I rerun the task in 10 hours
and task runs fine.
So I guess you have two options.
wait for the token or something expire and renewed.
you can restart the service.
#Charlieface’s comment explains the reason:
Double check that SQL Server is definitely still running under that service account, as well as which account has now received permissions to the share. The permissions for xp_cmdshell depend on whether the session has sa rights, see learn.microsoft.com/en-us/sql/relational-databases/…. Quite why you are using xp_cmdshell is a different question: it has major security implications, and should probably be converted into a SQL Agent job written in Powershell.
I have a question with regards to configuring database connections in SSIS to SQL server and using AD credentials other than the regular user account. Is this possible to do, or do i need to use a SQL user account?
Our IT department just recently went through a change and split our user account to have a regular account and admin account. Since then, one of our guy's is struggling with some SSIS packages as well as some PowerBI dashboards that he had created, since now his regular user account no longer has access to the databases.
I'm thinking that it is probably best just to create a SQL user account, but he wanted to try and configure it using his admin credentials. Just wondering what others usually do with respect to this?
By the way we're using SSIS 2014
Thanks
The normal way to do this is to configure the SSIS host process to run as the target account. There's no way to embed AD credentials in a connection string, like with SQL Auth.
So in the normal case where SQL Agent runs the SSIS packages, you configure the AD credentials as a SQL Server Credential, and create a SQL Agent Proxy. Then whether the Agent job launches DTEXEC.EXE directly, or calls the SSISDB stored procedures, the package execution will use the AD account of the Proxy, and your connections to SQL Server can use Integrated Security.
There's a file stored in SharePoint that I want to use as data source in my SSIS package that will be run by SQL Server Agent.
The SQL Server Agent uses an account that doesn't have access to this file, so I want the Excel connection to use different login credentials (you can specify them in OLEDB connections). Is there any way to do this?
I know that the simplest way would be to just grant the permissions to the account that SQL Server Agent uses, but our responsible person is away. Changing the credentials in SQL Server Configuration Manager is not an option.
MS SQL Server 2008R2, Server Integration Services Version 10.50.1600.1, Sharepoint2010,
You can set up a proxy account that has the appropriate permissions to the location of the excel file and then set the job to run as that proxy account.
https://technet.microsoft.com/en-us/library/ms190698%28v=sql.105%29.aspx?f=255&MSPPError=-2147217396
I have SSIS packages that have connections that use project params(only database and server), the actual login is set to windows authentication.
So when a SQL Server Agent runs that job step(package) how does it connect with windows authentication? Does it use it's own service account? If so as long as the service account has the same permissions as my windows account it shouldn't have issues right? All the objects in the SSIS packages are tables stored in that same server instance.
If I had external objects that use tables on different servers and such would it encounter issues then?
If the job owner is sysadmin and different server are in same domain it should be straight foward.
The secure way is to create a proxy on sql and give the Windows auth credentials. Then configured the package to run as "proxy defined".