I've setup a Service Broker on one of databases to automatically pick up stored procedures in a specific schema (Build) and run them on a daily basis. So far everything has been running fine, however we've now got a need where we need to access a remote sql server which is running SQL Server 2017 and has the latest Machine Learning Service installed.
I've given the service account that runs the primary SQL Server (SQL 2016) access on the remote server, and ensured the Service Broker is executing under the service account, rather than the local SQL account (sa).
Whenever we try to access the remote server, we are getting the following error:
Linked servers cannot be used under impersonation without a mapping
for the impersonated login.
I've tried adding an EXECUTE AS to the process, however this doesn't seem to make a difference. I've also ensured it is running under the service account, and it is.
I can get it to work using a mapped login on the linked server, however this isn't ideal, as we don't want to run the sql server in mixed authentication as this has been determined as an IT risk.
I've run out of ideas or what I can do here, and can't find any other help pieces with this same problem. I did want to roll this process out to more of our warehouse builds, however this is a deal breaker at this stage.
help?
Related
We recently migrated an application database to a new version from winserv2008/sql2008 to winserv2012R2/Sql2014. A service that pulls on this DB needs to be redesigned to accommodate some minor table/view definition changes.
Running the service code through tests under my personal security context works fine. However, installing and starting the service under .\LocalSystem is problematic. Looking at the service logs in event viewer I see that the service tries to connect to the sql server but gets a ERROR[28000] Login failed for user 'Domain\LocalSystemName$'.
The connection is via ODBC, SQL Server Native Client 11.0. Connection string is like:
"dsn=dsn_name;Driver={SQL Server Native Client 11.0};Database=database_name;Integrated Security=False;uid=accountname;pwd=accountpassword;Connect Timeout=15;ApplicationIntent=ReadOnly;"
Also, through the course of troubleshooting I've discovered/confirmed several things.
The sql server credentials I am using are correct, they are also being used to connect from a SQL2016 instance to the SQL14 server as a linked server.
The original service install on a utility server appears to be hitting the new database fine after the ODBC connection settings were switched.
My questions are:
Have you run into anything like this before?
Am I missing something simple in my connection string?
Are there per machine security settings in sql14 that I'm missing?
I have a powercenter 9.1 installation on windows server 2008 R2.
The repository is on the same box, hosted on sql server 2012. I have configured a new user (with sql server authentication) and have the repo db owned by that user. (it has the owner role)
The core problem : I am not able to run a simple test workflow on this setup.
Here's what I have been trying
The windows firewall has been taken down now for about an hour or so.
The repository service and integration service are running in trace/debug mode respectively.
The integration service log complains that it cant find a certain session for a certain workflow in certain folder (with ids for all of them).
When I log into sql server mgmt console, and try to query the repository tables for those exact items (since i have the ids from logs), all the data is present...
I fail to understand what is that I am messing up...
Disclaimer - my knowledge of sql server is really low.. may be 1 or 2 on scale of 10, since I have been living on the other side of fence (with oracle) for all of my career...
Did you try keeping the sql server login/user name and the associated default schema name as same?
I am working on DW with SSAS cube. While development, my Cube is hosted on SQL SERVer 2008R2 on a development Server (Windows Server 2003).
Now, post to development phase I need to host the cube on test Server which would be on a remote location to which I do not have the access.
What are the possible ways I can host it on the server keeping in mind that If needed I need to re-deploy on server from BIDS Studio (when some bug arises).
What credentials I'll be needing (Will it do If I have a SQL sys rights or a windows account in that domain is a must)?
Thanks in advance!!1
In theory you shouldn't worry about it, taking into consideration of course, you have someone with access to the destination server.
You should never use BIDS to deploy your cube, it cant deal with partitions or security for example. Every deployment would overwrites these management settings of the target server.
Instead, you should use the Deployment Wizard to create your script and the you would send it to the person responsible for the deployment.
If you need more info about the deployment wizar, check my answer on this post
I was implemented a windows application which is working perfectly.
The concept is to read an Access Database and export to MS SQL Server 2005 Database.
Now i want to make it as windows service and half way done. The problem is it is not working (Not updating the database).
The service was installed perfectly and running but not updating the database. I made that service as "Local Service", "Network Service", "Local System" and "User" bu not working for any of this type.
Can any one help me out for solving this.
The development environment is MS Visual Studio 2005, C#.NET, MS Access, MSSQL SERVER 2005 and Network supported Environment.
Thanks.
You could do this with Linked Server or an SSIS job running on SQL Agent which may well have been easier but... to tackle your question itself:
You mention trying different accounts to run the service - have you granted any of those accounts the appropriate rights on your target database to allow the service to update the data. Do they also have rights on your source (Access) database to read it.
Have you checked the Event Logs on the server and the SQL Server logs to look for reported errors, failed logins etc?
You could hook up the debugger to your running service to try and identify the problem whilst it's running or alternatively you need to write in some kind logging statements so that you can identify where your code is getting up to before it fails and log out the error message(s) so give you something to work with.
I am using SQL Server 2008. I am confused about which account will be used when a SQL Server agent job runs. My confusions are,
SQL Server agent as a Windows Service which we could control from Windows Service Management Console, from there we could set the account to run SQL Server Agent (LocalSystem in my computer);
Could I set SQL Server agent job level account to run on?
Could I set in each step which account SQL Server agent job step will run on?
I have above confusions because 3 different account systems may be used and my concern is what is the actual account each step will run on, and I want to avoid any permisson issues (i.e. I want to make sure the account have enough permission.). Any comments or advice? Appreciate anyone could clarify the 3 levels of accounts, which makes me very confused.
thanks in advance,
George
I would typically run the SQL Server Agent jobs under the same account as your app accesses the database.
If that account is too limited in its permissions (which might be a good thing!), I would create a single account for that app and all its SQL jobs (if that's possible) and run all SQL jobs under that account.
You could potentially run each step under a different account, but I wouldn't use that in general (it just makes it really hard to know and understand what is run under which account). Only use it if you have to run a particularly sensitive step that needs a bunch of extra permissions and those permissions are only available to a particular system account or something.
The account under which the SQL Server Agent windows service runs really doesn't have an impact on what your job steps will be run under.
So it boils down to really just two accounts:
one account is needed to run the SQL Server Agent Windows service - this is a Windows account on your machine / server which needs to have enough permissions to run the service, start and stop it - either use LocalSystem, Network Service, or whatever other Windows account you have to run services with
The other account would be the account to run your SQL Server Agent steps under - that's typically a SQL Server account (which could be based on a Windows account), and it needs enough privileges inside SQL Server to do its job, e.g. it needs access to the database objects and all. I would strive to have just one account for each app that runs the SQL Server jobs - makes life a whole lot easier!
Marc
PS: To set the user to run a step under, you need to use the "Advanced" page on the Job step property dialog and select the user from a popup window:
You can create Credentials in SQL Server (use Mgt Studio, under Security). Then create a Proxy in SQL Agent to use those credentials, telling it what kind of job steps can be used by the proxy. Then you get the choice to use that Proxy in the job step itself.
So... I make accounts for various SSIS packages to run under, so that I can keep the SQL Agent Service Account low privilege, and use a proxied credential with slightly higher privilege (not admin though, just enough permission to connect to other systems, including the File System).
Rob