My server setup is a bit weird. One of my DB Admins added a Linked Server to my server. In the linked server properties, I see the following in the Security view:
Local server login to remote server login mappings:
Local Login Impersonate Remote User Remote Password
domain\myusername CHECKED
For a login not defined in the list above, connections will:
- Be made using the security context
Remote login: linkedserveruser
With password: **************
Therefore, when I created a stored procedure with the following:
SELECT *
INTO #TEMP
FROM LINKEDSERVERNAME.DBName.dbo.TableName
-- Update local table after processing #TEMP
And setup a SQL job, it was failing with the following message:
Message
Executed as user: NT AUTHORITY\NETWORK SERVICE. Login failed for user 'linkedserveruser'. [SQLSTATE 28000] (Error 18456). The step failed.
After, digging through documentation, I found a KB811031 article that explains this problem and suggested that I map the security context and run the job as osql.
I did not have to map the security context because (as you can see from the settings of the linked server above), it already was mapped. I changed the Type to Operating System Command as suggested. When I run the job now, I get the following message:
Executed as user: domain\MYMACHINENAME$. Msg 18456, Level 14, State 1, Server SOMEOTHERDATABASENAME, Line 1 Login failed for user 'linkedserveruser'. Process Exit Code 0. The step succeeded.
And the job quits reporting success when in fact it failed. Any suggestions on how I can get this type of stored procedure containing a query to a linked server to run as a SQL job?
Related
I am in trouble with running SSIS packages in my etl process.
There is a table that includes etl steps with different types. i.e. Stored Procedure steps, cmd (copy-move files) steps, sending mail, SSIS steps.
A main Stored procedures runs these steps according to type of steps and logs begin-end times, errors etc. This main stored procedure is
triggered by an sql server job.
When I scheduled this job, SSIS steps takes error which is below;
Error: SSIS Error Code DTS_E_OLEDBERROR. An OLE DB error has
occurred. Error code: 0x80040E4D. An OLE DB record is available.
Source: "Microsoft SQL Server Native Client 11.0" Hresult: 0x80040E4D
Description: "Login failed for user 'server\user$'.".
Yet, when I run this main procedure manually (with my windows user login) it runs successfully.
I checked this running with proxy account, it didn't work for me. Because inside the sql server job, i run my main stored procedure not SSIS package.
proxy account reference link;
https://www.mssqltips.com/sqlservertip/2163/running-a-ssis-package-from-sql-server-agent-using-a-proxy-account/
It should work so long as your connection to the database is valid. The error message is telling you that server\user$ is not a valid login.
If the SSIS Package is connecting to the DB with a username and password (i.e., a SQL user), then it should be straight forward to set up / configure the login to have access to the server and database where your proc resides, and when you next run the job it should be able to successfully execute the proc.
If instead the SSIS Package is connecting with Windows Authentication, then you'll need to use a Proxy that specifies a Credential that references a Windows / Active Directory account with database access. In SSMS:
Server >> Security >> Credentials
create a new credential
give it a name
specify a windows account that has permissions to execute your proc
Server >> SQL Server Agent >> Proxies >> SSIS Package Execution
create a new proxy
select the credential you just created
Select "SQL Server Integration Services Package" subsystem
Server >> SQL Server Agent >> Jobs >> Your Job >> SSIS Job Step
in the "Run as" field, pick the proxy you just created
Now when you kick off the job, your SSIS package should make a connection to the database using the windows account specified in the credential set up in step 1, which should be able to successfully execute the stored proc.
does your package of SSIS any password? if not,set password for it .then edit your job and write password there too.
If you have a password in your SSIS package, make sure that the ProtectionLevel is set to "EncryptSensitiveWithPassword". If you use "EncryptSensitiveWithUserKey" then you'll be the only user who can run it.
I am learning the sql server 2012 and got stuck when using the copy datase, trying to figure out why.
I created two instances on the same host, using administrator, windows authentication.
(the default instance:iZp0w14yqtvxcmZ, the second instance: iZp0w14yqtvxcmZ\instance2, try to copy database from the default one to the second one)
It failed at the last step: execute sql server agent job.
here is the error log from windows event viewer:
Message: Failed to connect to server iZp0w14yqtvxcmZ.
StackTrace: at Microsoft.SqlServer.Management.Common.ConnectionManager.Connect()
at Microsoft.SqlServer.Dts.Tasks.TransferObjectsTask.TransferObjectsTask.OpenConnection(Server& server, ServerProperty serverProp)
InnerException-->Login failed for user 'NT Service\SQLAgent$INSTANCE2'.
Then I tried to add the login 'NT Service\SQLAgent$INSTANCE2' in the default instance. Then tried again and got another error:
Event Name: OnError
Message: An error occurred while transferring data. See the inner exception for details.
StackTrace: at Microsoft.SqlServer.Management.Smo.Transfer.TransferData()
at Microsoft.SqlServer.Dts.Tasks.TransferObjectsTask.TransferObjectsTask.TransferExtraObjectsViaSmoTransfer()
InnerException-->Windows NT user or group 'iZp0wd5ebkvswaZ\Administrator' not found. Check the name again.
But the Adminitrator does exist in the computer management -> local user and groups -> group, so I don't know what to do now. NEED HELP !!!
Thanks a lot!
after two-day's struggling, I figured it out. The sql server agent service should use a domain-based account for a multi-server environment. Also that account should be able to log in and perform the job.
I solved the issue changing the login method to system local account.
Two instances must have the same password and open, then in this case:
insert into [EI7-PC\SQLEXPRESS2].[MYCOMPANY].[dbo].[inventory] SELECT *
FROM [EI7-PC\SQLEXPRESS1].[MYCOMPANY].[dbo].[inventory] where itemno='10-0001'
The reason for the same password is unknown, this is per my experience. With two different password you may get an error about 'sa' failed to login.
I create MSSQL job with console application (operating system - cmdExec), I get error with eason 193.
There is full message:
Executed as user: NT AUTHORITY\NETWORK SERVICE. The process could not
be created for step 1 of job 0x4CB38CF498AEE244A487876F4746F5A7
(reason: 193). The step failed.
What could be a cause of it?
Have you gotten this kind of error before or have you successfully created jobs in the past?
It's likely that that specific account doesn't have the permissions necessary to create the job. If you've got access to SQL Server Management Studio, you can use the two links to learn more about the permissions needed (inside of the MSDB database) as well as how to check and set those permissions for a specific account.
SQL Agent permissions Reference
Check and set permissions for SQL Agent Jobs
I have a service broker which calls a stores procedure sp_dequeue
queue -->
ACTIVATION
( STATUS = ON,
MAX_QUEUE_READERS = 1,
PROCEDURE_NAME = sp_dequeue,
EXECUTE AS 'Username'
);
In my sp_dequeue i am inserting record in to Linked server...
So when i am calling sp_dequeue from the magmnt studio it works fine. But when its called automatically via service broker i get this error msg :
"Access to the remote server is denied because the current security context is not trusted.".
In my linked server property i have checked "Be made using this security constraint" and provided oracle userid and pwd also i have added 'Username' mapping to oracle server.(Both username and pwd of oracle/SQL are different)
I googled for this error tried mostly all combination.
Pls do help me in sloving this problem.
using Sql server 2005 and oracle 10g
The explanation is given at Why does feature … not work under activation?. One solution is to enable TRUSTWORTHY, as you did. Another one is to use code signing, see Signing an activated procedure. Code signing is more complicated to deploy, but is required in very strict security environments because the TRUSTWORTHY flags opens the path to privilege escalation from dbo to sysadmin.
I am creating a SQL Server Replication using a script. When I try to execute
The job failed. Unable to determine if the owner (STAR\moorer7) of job L3BPT2M-Atlas-14 has server access (reason: Could not obtain information about Windows NT group/user 'STAR\moorer7', error code 0x5. [SQLSTATE 42000] (Error 15404)).
This is a job created by a script that defines replication.
How do I debug this?
Active Directory is refusing access to your SQL Agent. The Agent should be running under an account that is recognized by STAR domain controller.
For me, the jobs were running under DOMAIN\Administrator and failing with the error message "The job failed. Unable to determine if the owner (DOMAIN\administrator) of job Agent history clean up: distribution has server access (reason: Could not obtain information about Windows NT group/user 'DOMAIN\administrator', error code 0x5. [SQLSTATE 42000] (Error 15404)). To fix this, I changed the owner of each failing job to sa. Worked flawlessly after that. The jobs were related to replication cleanup, but I'm unsure if they were manually added or were added as a part of the replication set-up - I wasn't involved with it, so I am not sure.
We encountered similar errors in a testing environment on a virtual machine. If the machine name changes due to VM cloning from a template, you can get this error.
If the computer name changed from OLD to NEW.
A job uses this stored procedure:
msdb.dbo.sp_sqlagent_has_server_access #login_name = 'OLD\Administrator'
Which uses this one:
EXECUTE master.dbo.xp_logininfo 'OLD\Administrator'
Which gives this SQL error 15404
select text from sys.messages where message_id = 15404;
Could not obtain information about Windows NT group/user '%ls', error code %#lx.
Which I guess is correct, under the circumstances. We added a script to the VM cloning/deployment process that re-creates the SQL login.
In my case I was getting this error trying to use the IS_ROLEMEMBER() function on SQL Server 2008 R2. This function isn't valid prior to SQL Server 2012.
Instead of this function I ended up using
select 1
from sys.database_principals u
inner join sys.database_role_members ur
on u.principal_id = ur.member_principal_id
inner join sys.database_principals r
on ur.role_principal_id = r.principal_id
where r.name = #role_name
and u.name = #username
Significantly more verbose, but it gets the job done.
Just solved this problem. In my case it was domain controller is not accessible, because both dns servers was google dns.
I just add to checklist for this problem:
check domain controller is accessible
I was having the same issue, which turned out to be caused by the Domain login that runs the SQL service being locked out in AD. The lockout was caused by an unrelated usage of the service account for another purpose with the wrong password.
The errors received from SQL Agent logs did not mention the service account's name, just the name of the user (job owner) that couldn't be authenticated (since it uses the service account to check with AD).
I had to connect to VPN for the publish script to successfully deploy to the DB.
In our case, the Windows service account that SQL Server and SQL Agent were running under were locked out in Active Directory.
I just got this error and it turns out my AD administrator deleted the service account used by EVERY SQL Server instance in the entire company. Thank goodness AD has its own recycle bin.
See if you can run the Active Directory Users and Computers utility (%SystemRoot%\system32\dsa.msc), and check to make sure the account you are relying on still exists.