Running group MSA for agent service account won't let me back up to a NAS target

Question

Running group MSA for agent service account won't let me back up to a NAS target

DataMatt43 0

I'm running SQL Server 2022 in a clustered/AG environment, using a gMSA for the database engine and agent services. Even though I've granted full access to the NAS backup share, it cannot see it. We're using the Ola Hallengren maintenance solution. I've tried to use EXECUTE AS in the T-SQL code window of the job step but that didn't work. Changing the job owner didn't work. The gMSA is a sysadmin in SQL and a local admin. I also tried the EXECUTE AS in the backup stored procedure which didn't work. I really don't want to revert my servers to a domain account. According to all the documentation I've looked at, this should work by using a proxy account, but it doesn't. Can someone please tell me what I need to do here?

2 answers

Your answer

Answer 1

Erland Sommarskog 132.2K MVP Volunteer Moderator

Let's start with what is never going to work, and that is EXECUTE AS. If you put EXECUTE AS in a stored procedure, you are impersonating a database user, and when it comes to impersonation, there is a very important principle: What happens in Vegas, stays in Vegas. That is, the impersonation is only trusted in the security context you perform the impersonation, in this case the database. So that impersonation is not trusted on server level, and even less in Windows, and even less on the NAS.

When it comes to the gMSA, I am under impression that this is something that lives in the AD, and thus can be granted access anywhere in the domain. But I don't work as a DBA, but I am in a developer role, so I have no direct experience of gMSA.

But you also talk of a proxy account. If you are running your job as an CMDExec job step with a proxy, what counts are the permissions of the Windows user the proxy account maps to, since Agent logs with those credentials.

Akhil Gajavelly 1,155 Reputation points Microsoft External Staff Moderator

2026-01-29T04:21:04.87+00:00
Hi @DataMatt43 ,

Thanks @Erland Sommarskog for the detailed explanation this really clarifies the root cause.

The key point is that EXECUTE AS only impersonates inside SQL Server, not at the Windows or network level, so it can’t be used to access a NAS share. That explains why changing job owner, using EXECUTE AS, or modifying the stored procedure had no effect.

For SQL Agent jobs:

What actually matters is the Windows security context

If using a CmdExec step with a proxy, the proxy’s mapped Windows account must have access to the NAS

Otherwise, backups run under the SQL Server service account (gMSA), which must be trusted and permitted by the NAS and AD

This answer explains why the behavior occurs and what can work, unlike the generic AI response.

@DataMatt43 did this explanation help resolve the issue? If yes, please consider marking this as the accepted solution so others facing the same gMSA + NAS backup problem can find it more easily.

Thanks,
Akhil.
Akhil Gajavelly 1,155 Reputation points Microsoft External Staff Moderator

2026-02-02T07:07:23.66+00:00

Hi @DataMatt43 ,

Just checking back to see if the clarification around SQL Agent security context, gMSA, and NAS access helped resolve the issue.

If this explanation addressed the root cause, please consider marking it as the accepted answer so others facing similar gMSA + NAS backup scenarios can benefit. If you’re still seeing issues, feel free to share the current setup and we can look at next steps.

Thanks,
Akhil.

Answer 2

When using a group Managed Service Account (gMSA) for SQL Server services, there are several considerations to ensure proper access to resources such as NAS shares for backups. Here are some steps and checks you can perform:

Verify gMSA Permissions: Ensure that the gMSA has the necessary permissions to access the NAS share. Even if you granted full access, double-check that the permissions are correctly set on both the NAS and the Active Directory for the gMSA account.
Test gMSA Functionality: Use the PowerShell command Test-ADServiceAccount <gMSA_name> to verify that the gMSA is functioning correctly on the SQL Server instance.
Proxy Account Configuration: If you are using a proxy account for the SQL Server Agent job, ensure that the proxy account is configured correctly and has the necessary permissions to access the NAS share. The proxy account should also be associated with the correct credential that has access to the NAS.
SQL Server Agent Job Owner: Changing the job owner to a user or account that has access to the NAS might help. Ensure that this account has the necessary permissions to execute the job and access the NAS.
Using EXECUTE AS: When using EXECUTE AS, ensure that the context switch is valid and that the user you are switching to has the necessary permissions to access the NAS share.
Check Firewall and Network Settings: Ensure that there are no firewall rules or network settings that might be blocking access to the NAS from the SQL Server instance.

If these steps do not resolve the issue, consider reviewing the SQL Server logs for any specific error messages related to backup operations, as they may provide more insight into the problem.

References:

Share via

Running group MSA for agent service account won't let me back up to a NAS target

2 answers

Your answer