Query to a server linked through an "EXECUTE AS"

Michel PRIORI 21 Reputation points
2020-11-20T11:04:21.27+00:00

Hello,
For security reasons we have a SRVLINK linked server that associates a local SQL account with a remote account.
41419-image.png

and outside of this association connections are refused.
41502-image.png

The problem comes when you execute:
EXECUTE AS LOGIN= 'SRVLINK
SELECT * FROM OPENQUERY([SIPRDSCO], 'select * FROM EXSDTA.PRREELLE WHERE 1=2')
REVERT
If we execute line by line it's Ok
If we execute all 3 lines together we get the error :
Msg 7416, Level 16, State 1, Line 3
Access to the remote server is denied because no login-mapping exists.

The objective being to generalize the practice in stored procedures - so no intermediate GOs are possible.

Q1: How to respond to security injunctions?
Q2: Why doesn't M$ allow the use of security groups for linked servers?

Transact-SQL
Transact-SQL
A Microsoft extension to the ANSI SQL language that includes procedural programming, local variables, and various support functions.
4,637 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Erland Sommarskog 111.2K Reputation points MVP
    2020-11-20T23:03:12.907+00:00

    You need to change it to:

    EXECUTE AS LOGIN= 'SRVLINK'
    EXEC ('
       SELECT    FROM OPENQUERY([SIPRDSCO], ''select FROM    
       EXSDTA.PRREELLE WHERE 1=2'')'
    REVERT
    

    The reason for this is that when you execute the stored procedure, SQL Server wants to build a query plan for the entire procedure. And that includes queries in OPENQUERY. So it attempts to access the linked server under the security context that applies when the stored procedure starts. By wrapping the select in dynamic SQL, you push into an inner scope and compilation is now performed under the security context of SRVLINK.

    2 people found this answer helpful.

  2. m 4,271 Reputation points
    2020-11-23T08:45:49.16+00:00

    Hi @MichelPRIORI-205,

    Q1: How to respond to security injunctions?

    Please test with this option: Be made using this security context
    41819-20201123using-this-securitycontext.png

    Q2: Why doesn't M$ allow the use of security groups for linked servers?

    It does. If your M$ has the permission, it can used for linked server.
    41820-20201123youcanusethisone.png

    More information: create-linked-servers-sql-server-database-engine

    BR,
    Mia


    If the answer is helpful, please click "Accept Answer" and upvote it.


  3. m 4,271 Reputation points
    2020-11-25T06:27:58.24+00:00

    Hi @Michel PRIORI ,

    OK. Now I want to reproduce the issue on my own side.
    Could you please describe the local login of SRVLINK and CMSCO for more details?
    Two server here: Server 1 and Server2

    SRVLINK is one SQL Server Login in Server 1 and what permissions this login has?
    CMSCO is one SQL Server Login in Server 2 and what permissions this login has?

    BR,
    Mia


    If the answer is helpful, please click "Accept Answer" and upvote it.


  4. m 4,271 Reputation points
    2020-11-26T05:56:19.977+00:00

    Hi @Michel PRIORI , @Erland Sommarskog

    I have learnt much from this case and @Erland Sommarskog 's reply.
    Thanks very much.

    BR,
    Mia


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.