Proxy Account Security.
Apr 26, 2007
Hi experts,
Is there any potential security threat using Proxy accounts in SQL Server 2005 ? If any , Please give URLs for reference.
Thanks,
DBLearner
ADVERTISEMENT
Xp_cmdshell Does Not Execute For Non-sysadmin Account Even With Proxy Account
Mar 2, 2004Hi all, i hope you can help me.
Basically a dts package has been setup that pulls in data from another companies server, this data requires to be on-demand i.e individual users can pull in updates of the data when they require it.
I am using xp_cmdshell and dtsrun to pull in the data. This obviouly works fine for me as i am a member of sysadmin.
Books online quotes " SQL Server Agent proxy accounts allow SQL Server users who do not belong to the sysadmin fixed server role to execute xp_cmdshell"
So i went to the SQL Server Agent Properties 'Job System' tab and unchecked 'Non-sysadmin job step proxy account' and entered a proxy account.
The proxy account has been setup as a Windows user with local administrator privilages and even a member of the sysadmin server role - just in case.
Now when i log onto the db with my test account - a non-sysadmin - and attempt to run the stored proc to import the data i recieved the message 'EXECUTE permission denied on object 'xp_cmdshell', database 'master', owner 'dbo' '
hmm... so basically i have either misunderstood BoL or there is something not quite right in my setup.
I have search the net for a few days now and yet i can find no solution.
Can anyone help?
Proxy Account.
May 8, 2007Hi Experts,
Is it possible to connect to SQL Server just using the SQL server agent's proxy account and access data ( without SQL management studio or SQL / Window authentication ). The proxy account is active only for SSIS package execution subsystem.
Thanks in advance,
DBLearner.
Error On SET Proxy Account
Aug 3, 2005I'm trying to set a proxy account for the SQL agent. The user is Local
administrator on the SQL Server when I try to set the account I get a message back that says
"The system cannot find the path specified."
I get the same error with TSQL too.
EXEC master..xp_sqlagent_proxy_account
'SET', N'MY_DOMAIN', N'Myadm', N'MyPassword'
My system :
Windows Server 2003 SP1
SQL Server 2000 SP4
I am worried it might be interfering with someing.
Any ideas what paths it could be after?
SQL 2012 :: Proxy Account Not Being Used
Jan 14, 2015I have a frustrating problem where I am using the Ola Hallengren jobs to backup to a network share. (This isn't something specific to his scripts).
For various reasons the SQL Server account can not be granted access to the share so I thought I would use a proxy account which does have access (this has been fully tested). I am using a CmdExec proxy.
The problem comes now that when I run the job it still thinks access is denied when running the xp_create_subdir command.
When I recreated this problem locally on my machine, as soon as I add the SQL Server account access to the share the backups work, so why isn't the job using the proxy account?
Creating A Proxy Account
Oct 30, 2006I am trying to run SSIS packages under SQL Server Agent 2005 and I keep getting a package failed error in the event viewer.
I've heard that I need to set up a proxy account. I have found the following code and need a little explanation on what all the parts mean since I am very new to this:
Use master
CREATE CREDENTIAL [MyCredential] WITH IDENTITY = 'yourdomainmyWindowAccount', secret = 'WindowLoginPassword'
Use msdb
Sp_add_proxy @proxy_name='MyProxy', @credential_name='MyCredential'
Sp_grant_login_to_proxy @login_name=' devlogin', @proxy_name='MyProxy'
Sp_grant_proxy_to_subsystem @proxy_name='MyProxy', @subsystem_name='SSIS'
Let's say for the sake of argument my domain is called CompanyInc and I log into windows with my name Philip_Jaques and my password is badpassw0rd. Would I modify the above code this way to create my proxy?
Use master
CREATE CREDENTIAL [MyCredential] WITH IDENTITY = 'CompanyIncPhilip_Jaques', secret = 'badpassw0rd'
Use msdb
Sp_add_proxy @proxy_name='MyProxy', @credential_name='MyCredential'
Sp_grant_login_to_proxy @login_name='Philip_Jaques', @proxy_name='MyProxy'
Sp_grant_proxy_to_subsystem @proxy_name='MyProxy', @subsystem_name='SSIS'
Also, when I create this proxy account where in SQL Server 2005 can I go to view it and its properties? And assuming I get the proxy account set up correctly, how do I get my current jobs to start using it so they will successfully run?
Thanks in advance for your help and advice!
Proxy Account/Credential
Feb 14, 2008There is one thing that€™s confusing me in creating a proxy account.
I am trying to get an SSIS package configured as a SQL Server job and execute it from a non-sysadmin login. But when I execute it gives the error message:
Non-SysAdmins have been denied permission to run DTS Execution job steps without a proxy account. The step failed.
I know that we have to create a proxy account for this to happen and creating of proxy account prompts me to choose a credential, and that is where I do not understand the logic. From MS website I can find the following, but it is confusing to me
This proxy account must use a credential that lets SQL Server Agent run the job as the account that created the package or as an account that has the required permissions.
ref: http://support.microsoft.com/default.aspx?scid=kb;EN-US;918760
I tried reading all the related articles, but still the process of creating the credential is confusing to me, can someone throw some light on the logic of proxy/credential here?
Thanks
Satya
Cannot Use Credentials For Proxy Account
Jul 31, 2006Hi,
because my package does not run with SQL-Server-Agent, but without problems if started by "hand", I created a new credential which contains the information needed for the package. I did this as described on: http://msdn2.microsoft.com/en-us/library/ms190703.aspx .
After that i tried to create an proxy account, but when I chose the created credential, Management Studio says "Der Proxy "[name_of_credential] ist kein gĂĽltiger Windows-Benutzer(Microsoft SQL Server, Fehler: 14529)". This means something like: "This Proxy is not a valid windows-user. Error: 14529".
Any hints how to use a credential that is not a windows-user?
Regards,
Jan Wagner
Proxy Account Not Responding
Feb 15, 2006Hi,
I have an SSISS package running in a job step, the job is owned and has to be run by a non-sysdamin SQL login. I have created a new credential (windows autrhentication, sysadmin priviledges) , mapped it to proxies 'SSISS' and 'Operating systems (CmdExec)' and have assigned the job step to run as that credential. Yet I'm getting the following error message:
Unable to start execution of step 1 (reason: Error authenticating proxy DomainUserName, system error: Logon failure: unknown user name or bad password.). The step failed.
Does anyone know why this is?
Thanks
Proxy Account - SQL Server
Jan 2, 2008Hello,
I'm having trouble setting up PROXY account. I follow the documentation, and Under Credentials, I can only select Operator. Is there a way to select any account under Security?
Your help is appreciated!
Error Authenticating Proxy Account
Feb 5, 2008Hello,
I am trying to create a job that runs a SSIS package. I am getting the following error:
Message
Unable to start execution of step 1 (reason: Error authenticating proxy domainsckeels, system error: Logon failure: unknown user name or bad password.). The step failed.
Our DBA ran the following to create the credentials and proxy account.
USE MSDB
CREATE CREDENTIAL [sckeels] WITH IDENTITY = 'domainsckeels', secret = 'sckeels_credentials'
GO
Sp_add_proxy @proxy_name='ssis_users', @credential_name='sckeels'
GO
Sp_grant_login_to_proxy @login_name='domainsckeels', @proxy_name='ssis_users'
GO
Sp_grant_proxy_to_subsystem @proxy_name='ssis_users', @subsystem_name='SSIS'
Any help with this would be appreciated.
Steven
Proxy Account Principals Not Saved
Jul 12, 2007I am trying to create a Proxy account to use for Job Scheduling, but when ever I add Logins to the Principals in the Proxy Properties and click OK, when I check again, they are not saved. Is there a reason why this happens? Is there an alternate way to add principals? Thanks.
View 2 Replies View RelatedExecute A Stored Procedure Using A Proxy Account
Sep 18, 2007Hi all,
I have a problem while i create a proxy account.The situation is like this...There is a user who has an login in to the server.He has a stored procedure which calls some on the SSIS packages and XP_cmdshell...so this stored procedure basically load some data in to the tables .So for the login in order to execute the stored procedure as he is not a Sys admin I have created a proxy account in my account as Iam an SA and then in the proxies and in principals I selected his login name and this way I have created a credential and a proxy account.
Now the problem is if he logins with his id and password and try to execute the stored procedure it gives an error message
Server: Msg 15153, Level 16, State 1, Procedure xp_cmdshell, Line 1
The xp_cmdshell proxy account information cannot be retrieved or is invalid. Verify that the '##xp_cmdshell_proxy_account##' credential exists and contains valid information.
....so this mean the login is not able to see the proxy account.So what I did is I created a job and then in the job owner tab I have selected his login and then created a step with the type operating system (CmdExec) as I need to just execute the stored procedure and used the proxy account that I have created.
so I gave the command -- exec <stored procedure> --.
But this job fails and gives the error message as
[298] SQLServer Error: 536, Invalid length parameter passed to the SUBSTRING function. [SQLSTATE 42000]....
So now ....first My question is am I doing in a right way....if its right then why Iam not able to execute the stored procedure.
If there is any other way through which I can execute the stored procedure using a proxy account for the logins who are not sys admins....please do let me know.....
Thanks
Raja.V
SQL2K CmdExec Proxy Account Setup
Aug 15, 2007Hi, I have the following setup:
- Win 2K Server, SP4
- SQL Srv 2K, SP4
- A 'DEV' domain, with an 'Administrator' account with all possible rights on the system
I need to configure a CmdExec proxy account in order to allow non-sys-admin users to execute the master.dbo.xp_CmdShell procedure.
When attempting to do this via QA as follows:
EXEC master.dbo.xp_sqlagent_proxy_account N'SET',
N'DEV', -- agent_domain_name
N'Administrator', -- agent_username
N'password' -- agent_password
...I get the following error:
"The system cannot find the path specified."
When attempting to do this via QA as follows (note: only change is adding domain to agent_username arg):
EXEC master.dbo.xp_sqlagent_proxy_account N'SET',
N'DEV', -- agent_domain_name
N'DEVAdministrator', -- agent_username
N'password' -- agent_password
...I get the following error:
"Error executing extended stored procedure: Specified user can not login"
I have tried this through Enterprise Manager and get identical results, of course.
I have also tried all of the following:
- different OS user accounts, including local system accounts with local admin rights;
- assigning the OS account to a SQL login with System Admin role/rights;
- specifically assigning the above SQL login with EXEC rights on the master.dbo.xp_CmdShell procedure;
- verifying local security policy settings, as per the following link: http://support.microsoft.com/?id=283811;
- pulling out my hair and banging my head against the wall.
Can anyone H E L P ? ! ! !
Thanks,
Joe
Execute Stored Proc Using A Proxy Account In 2005
Sep 18, 2007Hi all,
I have a problem while i create a proxy account in SQL Sever 2005.The situation is like this...There is a user who has an login in to the server.He has a stored procedure which calls some on the SSIS packages and XP_cmdshell...so this stored procedure basically load some data in to the tables .So for the login in order to execute the stored procedure as he is not a Sys admin I have created a proxy account in my account as Iam an SA and then in the proxies and in principals I selected his login name and this way I have created a credential and a proxy account.
Now the problem is if he logins with his id and password and try to execute the stored procedure it gives an error message
Server: Msg 15153, Level 16, State 1, Procedure xp_cmdshell, Line 1
The xp_cmdshell proxy account information cannot be retrieved or is invalid. Verify that the '##xp_cmdshell_proxy_account##' credential exists and contains valid information.
....so this mean the login is not able to see the proxy account.So what I did is I created a job and then in the job owner tab I have selected his login and then created a step with the type operating system (CmdExec) as I need to just execute the stored procedure and used the proxy account that I have created.
so I gave the command -- exec <stored procedure> --.
But this job fails and gives the error message as
[298] SQLServer Error: 536, Invalid length parameter passed to the SUBSTRING function. [SQLSTATE 42000]....
So now ....first My question is am I doing in a right way....if its right then why Iam not able to execute the stored procedure.
If there is any other way through which I can execute the stored procedure using a proxy account for the logins who are not sys admins....please do let me know.....
Thanks
Raja.V
Does Xp_cmdshell Proxy Account Need Admin-level Permissions?
Oct 4, 2007Re: SQL Server 2005
Does the xp_cmdshell proxy account need admin-level permissions on the server?
The reason I ask this is because I keep getting "Access is Denied" errors when trying to run this command as a non-admin:
master..xp_cmdshell dtexec 'some package'
The 'some package' has an "execute process task" which calls a batch file on the server.
If the proxy account is NOT a local admin, the "execute process tasks" fails with an "Access is Denied" error.
If the proxy account is a local admin, it executes fine.
We have given "Everyone" FULL CONTROL of all the folders that are affected by the batch file, and it still does not work.
I am out of ideas at this point. It just does not work unless it's an admin.
Are we missing something here?
Integration Services :: Required Privilege Is Not Held By Client In SSIS With Proxy Account
Jun 16, 2015I running SSIS package job without sql agent , it is working fine.when i am running through sql agent not running.
created Proxy accountÂ
job failed and give above error.
Server is cluster and taking data from desktop.
server is in one domain and desktop in another domain.
Execute A Stored Procedure Which Calls SSIS Packages Using A Proxy Account For Non Sysadmins In Sql Server 2005
Sep 18, 2007
Hi all,
I have a problem while i create a proxy account.The situation is like this...There is a user who has an login in to the server.He has a stored procedure which calls some on the SSIS packages and XP_cmdshell...so this stored procedure basically load some data in to the tables .So for the login in order to execute the stored procedure as he is not a Sys admin I have created a proxy account in my account as Iam an SA and then in the proxies and in principals I selected his login name and this way I have created a credential and a proxy account.
Now the problem is if he logins with his id and password and try to execute the stored procedure it gives an error message
Server: Msg 15153, Level 16, State 1, Procedure xp_cmdshell, Line 1
The xp_cmdshell proxy account information cannot be retrieved or is invalid. Verify that the '##xp_cmdshell_proxy_account##' credential exists and contains valid information.
....so this mean the login is not able to see the proxy account.So what I did is I created a job and then in the job owner tab I have selected his login and then created a step with the type operating system (CmdExec) as I need to just execute the stored procedure and used the proxy account that I have created.
so I gave the command -- exec <stored procedure> --.
But this job fails and gives the error message as
[298] SQLServer Error: 536, Invalid length parameter passed to the SUBSTRING function. [SQLSTATE 42000]....
So now ....first My question is am I doing in a right way....if its right then why Iam not able to execute the stored procedure.
If there is any other way through which I can execute the stored procedure using a proxy account for the logins who are not sys admins....please do let me know.....
Thanks
Raja.V
What Is Security Account Delegation (was Hi)
Feb 26, 2005can any 1 give info on "Security Account Delegation"
thanks in advance
No Mapping Between Account Name And Security ID
Jul 4, 2007Hi,I created a user account on my active directory service. I then triedto assign a service located on my SQL server to be executed by thisaccount. However, when I try to configure my SQL server service, Iget the following error message:WMI Provider Error"No mapping between account name and security ID was done"Do you know what I am doing wrong?thanks
View 1 Replies View RelatedService Account And CLR Security
Aug 6, 2007
By default does CLR code run under the SQL Service Server account or the SQL Agent Service Account? Does anybody have a link to BOL or MSDN???
My assumption is its under SQL Server Service Account.
I'm trying to satisfy the DBA's security concerns in regards to CLR Code. If the account it runs under (Agent or service) has zero privliges will a dba still be able to maintain the server? Wouldnt all their backups work under a privilaged account that isnt the SQL Server Service Account?
Double posted in security.
SQL Security :: SPN Account On More Than One Instance
Oct 28, 2015Can you use a SQL service account (domain account) on two different SQL instances?
Can you set the SPN for both clusters instances with the same account?
Security Account Delegation
Oct 22, 2006Hi world,
I have a question, but first I need to give you some background:
My network works with Active Directory on Windows 2000, and I have web servers running on windows 2003 and SQL Servers 2000 running on Windows 2003.
I wanted to enable account delegation and I found a bunch of information.
Everything seemed "easy", but I tried to test it first on my test servers anyways and this is what happened:
We created the SPN for the SQL Server
Account is trusted for delegation check box was selected for the service account of SQL Server.
Account is sensitive and cannot be delegated check box was not selected for the user requesting delegation.
But when we checked the box Computer is trusted for delegation (and only this box !!) in the server running an instance of SQL Server 2000, the role of this server changed magically (just like this guys, it was magic) from "server" to "Domain Controller".
We were intrigued about this change, but we "trusted" the white paper that we had in front of us.
http://support.microsoft.com/kb/319723
After some hours, the production web servers (of the whole network) and many workstations stopped working:
The IIS on this web servers will show an empty list of websites
The network and dial-up connections were missing on the web servers and also on the workstations.
The web servers and the workstations affected were "isolated" from the network, the command ping was not finding any of this computers.
Anyway, it was a nightmare, it took a while to fix the mess, we reverted the changes in Active Directory, and this makes me thing that the magical "promotion" of the SQL server to Domain Controller had to do with all this.
the questions is:
Do you have an idea about what could have caused all this? I mean, I still need to enable this account delegation thing. But I would like to know first if someone has done it before in a similar environment or if someone has run into one of the problems described before.
Thanks world.
Proxy Auto-Configuration Url Not Found Error - But Not Using Proxy
May 15, 2007I have read all the posts regarding this error, but non-solve my problem as I had already addressed them.
I am setting up Merge Replication via the Web and I get this error when i try to sync. Let me give you some background.
I wrote a small windows test app to test merge replication, in which i am using RMO to accomplish the replication. This works. It syncs every time. I then copied the "sync" code from the winform application and created a Windows Service in which i placed "sync" code. The sync code did not change other than adding the additional following four lines:
_mergeAgent.InternetUrl = _internetURL;
_mergeAgent.InternetLogin = _internetLogin;
_mergeAgent.InternetPassword = _internetPassword;
_mergeAgent.InternetTimeout = _internetTimout;
where the internet url is https://ipaddress/virtualdirectory/replisapi.dll
I have been working with this for a while now trying to figure out why this works (on the same machine) in a winforms app but not through the web (via a windows service).
Any insight would be greatly appreciated.
Thanks...
Security Login Account Restore
Oct 25, 2007
Hey Everyone,
I am testing restoring databases on another SQL 2005 server in out environment using HP data protector 5.5 and its great. However, I notice that the security login accounts do not get restored. If this is the case how do I go about getting accounts restored? Also, are there any other options?
Cheers,
Mark
No Mapping Between Account Names And Security IDs Was Done.
Jun 7, 2006I received the following when trying to deploy an 2005 analysis services package over an existing database:
The following system error occurred: No mapping between account names and security IDs was done.
We have redeployed this solution several times over the last week and have never encountered this error. The changes that we are deploying are related to partitioning of the measure group fact tables - and are not related to security in any way. Can someone assist?
Security Problem Running Xp_cmdshell From Non-sa Account
Dec 17, 1999Our system is MS SQL Server v7 and NT 4. We have a stored procedure that exec's xp_cmdshell to run an external program located on the server. When a user who has 'sa' rights runs this stored procedure it works fine. When a 'non-sa' user (via the "BuiltinUsers" NT account) runs it, xp_cmdshell produces the following error:
Msg 50001, Level 1, State 50001
xpsql.c: Error 1385 from LogonUser on line 476
Is there an NT security or SQL Server setting I've overlooked that can be changed to allow non-sa users to xp_cmdshell programs?
n.b. The BuiltinUsers account does already have execute permission on the xp_cmdshell procedure.
Urgent - No Mapping Between Account Names And Security IDs Was Done Error !
Feb 28, 2007Hi There
When i go to configuration manager and change the sql server service to run as a domain account i get the following error:
No mapping between account names and security IDs was done.
This is Sql Server Express running on a domain controller - Windows Server 2003 R2.
Everything i find ont he net refer to IIS, DHCP etc etc , i cannot find the issue regrading sqls server configuration manager.
Thanx
SS2000 Error: No Mapping Between Account Names And Security IDs Was Done
Oct 25, 2007Hello all;
I am trying to form a replication system but at the very beginning i couldn't pass an obstacle.
While trying to create the Replication it says i have to change the user which starts the SQL Agent because the current starter user account is a system account and this will make the replication between servers fail.
"SQL Server Agent on OZN currently uses the system account, which causes the replication between the servers fail. In the following dialog box, specify another account for the service startup account."
I change it in the properties dialog box of the SQL Server Agent. The new account is the one I formed and granted accordingly. But it gives the following error when I try to apply the changes.
" Error 22042: xp_SetSQLSecurity() returned error -2147023564, 'No mapping between account names and security IDs was done' "
I tried many things, searched in the net, changed the owner of the database, applied new accounts, many grants, applied service pack 4, etc...
If anyone helps it will be very much appreciated. Thanks in advance...
Setup And Upgrade :: No Mapping Between Account Names And Security ADs Was Done
Aug 26, 2015Our software vendor rep is trying to upgrade MS SQL server 2008 SP4 to 2012 SP1. Get an error message: no mapping between account names and security ADs was done. He says that we get this error message because we have two domain controllers in our network, and one is running on the same windows server that run sql server. Out IT support disagrees to delete the second domain controller, saying it is recommended by Microsoft and he suggests that the problem is in Active directory.
View 2 Replies View RelatedFailure Setting Security Rights On User Account SQLServer2005BrowserUser${computerName}
May 29, 2007I'm trying to install SQL Server 2005 Express on a Windows 2000 server, but I'm getting the following error message:
"Failure setting security rights on user account SQLServer2005BrowserUser${computerName}"
Can anyone help me please?
Whether To Use Local System Account Or Domain Account For Service Account
Jan 5, 2006During install of SQL Server 2005, we can of course use a domain account or the built-in system account for running the services. I lean toward domain for obvious reaons but would like to know a +/- to each option and why I'd choose one over the other and what consequences or limitations one may encounter if I choose one over the other.
View 6 Replies View RelatedSQL Security :: What Windows Account Used Server Login To Access Server
May 14, 2015If we have a "pool" SQL login, a one that uses SQL Server authentication, and this login is used by different domain account to access SQL Server, is there a way to audit which domain account used that "pool" login to do something on a object in SQL Server? I have to keep this way of accessing SQL Server, so how to create a login for every domain account accesses SQL Server
View 7 Replies View Related