I'm using Sync-DbaAvailabilityGroup to sync jobs and user logins across my avaiablility groups. When I run the Powershell script from powershell it works as expected, however; when I run it from a SQL Server Agent job it succeeds but don't copy any jobs or users over.
What's the 'trick' to run jobs on a Sql Managed Instance with Sql Server and Windows Auth enabled and login authentication set to Azure Active Dir - universal with MFA?
SQL Server Agent jobs created by our dba's are failing with
'Executed as user: DBC40\AasdfppEWawer. Login Failed. The login is from an untrusted domain and cannot be used with integrated authentication. [sqlstate 28000](Error 18452).'
Tried specifying the user to run the job under - same outcome
Tried specifying the user to run the step under - same outcome
We installed the OLA tools with no issues, those jobs run just fine.
rm
I have SSIS 2012 package which runs SQL command by executing SQLCMD command line utility with -E switch. This switch means that it should use trusted connection to connect to SQL server.
The problem is that if i try to run package directly through Object Explorer, i get ANONYMOUS LOGON error. I get the same error running package using stored procedures.
The only way i can run it is through SQL Server Agent Job which then uses SQL Server Agent login.
The question is how to run package using stored procedures with some user which will be used for trusted connection?
Two options. For your manual executions, you'll need to use [RunAs][1] command to launch the dtexec process as the desired user. Covered it a bit in this answer Deploying SSIS (SQL Server 2012) Project Outside Network
For scheduled executions, you'll need to create the appropriate stored credentials within SQL Server, authorize those credentials for use with jobs of type SSIS and then create your job using those stored credentials.
I am using SQL Server 2008. I am confused about which account will be used when a SQL Server agent job runs. My confusions are,
SQL Server agent as a Windows Service which we could control from Windows Service Management Console, from there we could set the account to run SQL Server Agent (LocalSystem in my computer);
Could I set SQL Server agent job level account to run on?
Could I set in each step which account SQL Server agent job step will run on?
I have above confusions because 3 different account systems may be used and my concern is what is the actual account each step will run on, and I want to avoid any permisson issues (i.e. I want to make sure the account have enough permission.). Any comments or advice? Appreciate anyone could clarify the 3 levels of accounts, which makes me very confused.
thanks in advance,
George
I would typically run the SQL Server Agent jobs under the same account as your app accesses the database.
If that account is too limited in its permissions (which might be a good thing!), I would create a single account for that app and all its SQL jobs (if that's possible) and run all SQL jobs under that account.
You could potentially run each step under a different account, but I wouldn't use that in general (it just makes it really hard to know and understand what is run under which account). Only use it if you have to run a particularly sensitive step that needs a bunch of extra permissions and those permissions are only available to a particular system account or something.
The account under which the SQL Server Agent windows service runs really doesn't have an impact on what your job steps will be run under.
So it boils down to really just two accounts:
one account is needed to run the SQL Server Agent Windows service - this is a Windows account on your machine / server which needs to have enough permissions to run the service, start and stop it - either use LocalSystem, Network Service, or whatever other Windows account you have to run services with
The other account would be the account to run your SQL Server Agent steps under - that's typically a SQL Server account (which could be based on a Windows account), and it needs enough privileges inside SQL Server to do its job, e.g. it needs access to the database objects and all. I would strive to have just one account for each app that runs the SQL Server jobs - makes life a whole lot easier!
Marc
PS: To set the user to run a step under, you need to use the "Advanced" page on the Job step property dialog and select the user from a popup window:
You can create Credentials in SQL Server (use Mgt Studio, under Security). Then create a Proxy in SQL Agent to use those credentials, telling it what kind of job steps can be used by the proxy. Then you get the choice to use that Proxy in the job step itself.
So... I make accounts for various SSIS packages to run under, so that I can keep the SQL Agent Service Account low privilege, and use a proxied credential with slightly higher privilege (not admin though, just enough permission to connect to other systems, including the File System).
Rob
I am writing PowerShell scripts to control SQL Server agent start/stop to ensure all the contained jobs runs according to defined schedule. I want to make sure that the only thing I need to do is to start the SQL Server Agent Windows Service, and then all the contained SQL Server Jobs will run automatically according to defined schedule? No need to control each job's start/stop specifically?
I am using SQL Server 2008 on Windows Server 2003.
thanks in advance,
George
When you start SQL Server Agent all jobs (if they are not disabled) will run automatically and it's no need to control each job. Just make sure that jobs are enabled.