In the past this command would work:
EXEC [linkedServerName].msdb.dbo.sp_start_job #job_name = 'test2'
Now I have to use the impersonate login and add the SQL service account (referenced in local login to impersonate) of calling server onto called server and giving it SA privilege: think I am doing something wrong, it shouldn't be so complicated should it?
Without the SA privilege on the impersonating account added to the remote server I receive error:
The EXECUTE permission was denied on the object 'sp_start_job', database 'msdb', schema 'dbo'.
Thank you
it shouldn't be so complicated should it?
This isn't any more complicated than the task you're doing. It's pretty basic security. If you want an account to be able to do things on a server, the account needs to have the proper access to that server. I'm not sure why you think it should be otherwise. Setting up proxy accounts isn't the most straightforward, but scheduling jobs from a remote server instead of the local agent isn't the most straightforward task, either.
Per the doc a user needs to be a member of the sysadmin, SQLAgentUserRole, SQLAgentReaderRole, or SQLAgentOperatorRole to be able to call sp_start_job.
The alternative is to configure the linked server to use a fixed security context or map a security context instead of impersonating one. This can be configured on the Security page of the Linked Server properties. Note that the account used for a fixed context still needs to be a member of one of the above roles to execute sp_start_job.
Related
I have a job which tries to access data from a remote server. I have created linked server which is connected successfully. When I try to access tables by directly running the query it works fine. But when I run same query via job it throws an error "login failed for user".
Job is assigned owner 'sa' and running with ssis proxy with sysadmin and public roles. In security tab of linked server properties I have no mappings and "be made using the login's current security context" selected.
I am not sure how should I correct it. If I should add mappings then what should be mapped? Please help me as I already spend whole day exploring possible options but couldn't find anything useful.
It does not matter who is the owner of package. Only the user under whom the packet is launched is important.
If this user is Windows (Windows domen) user, read this link.
If your user is sql-user, check it password and permissions on linked server.
If all from previous step are correct, try to add this user to mapping with checked Impersonate checkbox.
Is it possible to pass-through Windows User logins from Datazen through to SQL Server?
Scenario:
I created a Dashboard which uses a SQL Query as a data source.
The data source is of type "SQL Server" and the flag Integrated Security is set to YES.
I've also configured the data source to be "Real Time," to avoid any issues with caching.
I'm expecting the data view to execute on SQL Server with the credentials of the user which is browsing the final dashboard, unfortunately this is not the case.
Problem:
In this scenario the authentication against SQL Server is now done with the Windows user account, under which the Service "Datazen Server Data Acquisition Service" is running. I would expect that the "Acquisition Service" will delegate the effective user. Is this possible? Or will the authentication always be done with the service account?
I know about the "personalize for each member" setting, which passes-through the username to a data view query, but this is not the same as my requirement (leverage existing MSSQL-DB-Security for effective windows-users).
Your observations are correct that by default, the service account will be recognized as being logged into SQL Server.
There's no way to get around that with settings, but you can use some T-SQL magic to switch users at runtime. You have to lead your queries with an EXECUTE AS statement, like so:
EXECUTE AS USER = 'DomainName\' + '{{ username }}'
SELECT TOP 1 login_name -- This is just a nice quick test to echo the username.
FROM sys.dm_exec_sessions -- You can swap it out for your real query.
WHERE session_id = ##SPID
This, of course, also requires the "Personalize for each Member" setting to be turned on, so that the username is passed through.
It's pretty self-explanatory what's going on here, but basically you have to explicitly impersonate the request via your service account, as SQL Server will be connected to via the database using that account. Once you run this EXECUTE AS statement, it will use that user account for the remainder of the session.
Note that your service account will need permission the IMPERSONATE permission set, or else this will fail. It will also fail, of course, for any users that exist in your Datazen Server but do not have permissions against your SQL Server, and vice-versa. That's definitely the desirable behavior, but it's worth keeping in mind if you ever add users to one, you'll also have to add them to the other.
Disclaimer: I'm a Microsoft Support professional, paid to support Datazen.
I've got an application which is running under under the credentials of the local user. However, I would like to allow this application access to a MSSQL database using specific credentials.
This isn't a problem if I use an SQL login, however I would like to use a specific Windows account for which I have the username (along with the domain) and password. Note that I do NOT wish to run the entire application using these credentials.
Is this at all possible? This SO question seems to suggest that using Integrated Security=SSPI in the connection string WITH Windows credentials specified will allow me to login to the database as that user, however I was not able to do this on my test machine.
Given how the SQL Server Management Studio logs into databases (i.e. it uses the current credentials or specified SQL credentials, but doesn't seem to permit specified Windows credentials) I'm thinking this cannot be done, but I would like a confirmation of this...
You could deal with this as the SQL Server end
by encapsulating the tasks that need done under the other account in a stored procedure created using the "EXECUTE AS Clause"
Create Proc sp_Dosomething_As_specific_user
WITH EXECUTE AS '{SpecificUser}'
BEGIN
/*Do Something*/
END
and allow the user account execute permissions on that
GRANT EXEC ON sp_Dosomething_As_specific_user TO {Actual_User}
For fuller details on the "EXECUTE AS" clause look at this
http://msdn.microsoft.com/en-us/library/ms188354.aspx
This means that you've limited the user to running only a specifically predefined action or set of actions as the other user as opposed to a general permission to let them impersonate the other user
Which is going to help keep whoever is responsible for IT security happy
I don't know if it should be like this. When I'm trying to do anything with xp_cmdshell procedure it almost every time gives me Access Denied.
For example I can't create new .txt file, can't create new user, nothing. I'm logged in with windows administrator user.
Is there any way to run this procedure with administrator privileges?
XP_CmdShell will execute under the context of the Service Account running the SQL Server Service. The service account needs the permissions to the external resources.
Could I point out however, that enabling xp_cmdshell is not a good idea. It opens lots of security holes. For example, if your app has an unknown volnerability to SQL injection, a hacker could do all sorts on your network that you rather avoid.
If you must use external resources then better approaches would include a CLR procedure or calling a Job that executes a CMDEXEC step.
xp_cmdshell executed by a windows login is executing under an impersonation context. as such any access of a remote resource (eg. access a file on a share, an operation on AD like adding an user) will fall under the constrained delegation restrictions, likely resulting in a access denied because constrained delegation is probably not to be configured on all those resources.
Greetings all, I've run into a problem that has me stumped.
I've put together a database in SQL Server Express, and I'm having a strange permissions problem.
The database is on my development machine with a domain user: DOMAIN\albertp.
My development database server is set for "SQL Server and Windows Authentication" mode.
I can edit and query my database without any problems when I log in using Windows Authentication.
However, when I log in to any user that uses SQL Server authentication (Including sa) I get this message when I run queries against my database.
SELECT * FROM [Testing].[dbo].[AuditingReport]
I get:
Msg 18456, Level 14, State 1, Line 1
Login failed for user 'auditor'.
I'm logged into the server from SQL Server Management Studio as 'auditor' and I don't see anything in the error log about the login failure.
I've already run:
Use Testing;
Grant All to auditor;
Go
And I still get the same error. What permissions do I have to set for the database to be usable by others outside of my personal domain login?
Or am I looking at the wrong problem?
My ultimate goal is to have the database be accessible from a set of PHP pages, using a either a common login (hence 'auditor') or a login specific to a set of individual users.
GRANT ALL is not performing the action you believe it to be.
I suggest for testing purposes that you consider using Database Roles in order to manage the privileges of your User.
Here is a list of the available Database-Level Roles
You can add an existing User to a Database Level role by using the system stored procedure sp_AddRoleMember. For example, the following will provide READ permission to your User for all objects within the given database.:
EXEC sp_addrolemember 'db_datareader','auditor'
Ideally, you will likely want to consider defining your own Database Roles in order to manage privileges for your Database Users.