Configuring SQL Server Agent proxy account

Question

Configuring SQL Server Agent proxy account

Salves 501

Hi,

today it was necessary to create a proxy account to run an SSIS package.

It was working, after removing the SSIS package and deloying the SSIS package again it works manually, but when we try to schedule the SQL Agent JOB it fails. After configuring the proxy account it worked successfully.

PS: Integration services is on server B and the database that the SSIS package works on is on server A. That is, the credentials I use within the connection string are from server A.

I honestly don't understand why I need to enter a username and password in the string configuration, if my connection string has an option of (Integrated Security=SSPI). ]:(

Error:
An OLE DB record is available. Source: "Microsoft SQL Server Native Client 11.0" Hresult: 0x80040E4D Description: "Login failed for user 'domain\hostname$'.".

String connection:

Data Source=hostname.domain;Initial Catalog=DB_Samples;Provider=SQLNCLI11.1;Integrated Security=SSPI;Auto Translate=False;

We have other SSIS packages that are using SQL Agent without proxy, using the same project settings (EncryptSensitiveWithUserKey).

In the procedures that we found says to create the proxy account mapped with the user (SA), however we were concerned about the security risk that this can generate for the environment.

Doubts:

1 - Why do we need to use the (SA) account?

Ref.: https://www.youtube.com/watch?v=Z--t2MUF5E4

2 - Can you do the mapping using an unprivileged account?

3 - If privileges are needed, which ones are needed?

Thanks.

Accepted answer

1 additional answer

Your answer

Answer 1

Erland Sommarskog 121.4K MVP Volunteer Moderator

An OLE DB record is available. Source: "Microsoft SQL Server Native Client 11.0" Hresult: 0x80040E4D Description: "Login failed for user 'domain\hostname$'.".

This happens because SQL Server Agent runs under an account local to the machine, for instance NT Service\SQLSERVERAGENT, and you are using integrated security. Since that account does not exist on the other machine, the login will be for the machine account.. (The one with $ at the end.) Normally, you don't create logins for machine accounts.

When you set up proxy accounts with Agent, that is a typically a Windows domain account, so that Agent spawns a subprocess with that account, logging on to Windows with the stored credentials. Because this is a true Windows login, that process can now successfully log in with Integrated Security. I describe the steps to do this here: https://www.sommarskog.se/perm-hijack.html#agentjobs.

Now, you are talking about a proxy using SA, which is an SQL login, so I am not sure we are talking about the same thing. I will need to add the caveat that I don't know SSIS, so if this is a proxy specific to SSIS, there maybe something I have missed.

Nevertheless, I like to answer your doubts:

1 - Why do we need to use the (SA) account?

You would need to use SA, only if the package needs to perform actions that requires membership in the sysadmin role.

I did not watch the video, as it was a tad long for me. But I sampled a few seconds some minutes into the presentation, and I noticed that the presenter talked about using sa. Maybe he used sa as an example to keep things simple? (Not a very good idea in my opinion.)

2 - Can you do the mapping using an unprivileged account?

Of course.

3 - If privileges are needed, which ones are needed?

That depends on what the package is doing. Access to the database in question seems obvious. SELECT, INSERT etc permissions on tables may. Or only permissions to run stored procedures.

Salves 501 Reputation points

2022-01-15T19:18:24.377+00:00

Hi @Erland Sommarskog ,

Thank you for your time in answering my queries.

Sorry for the big message as I'm a not SQL expert and I'm supporting the DBA team and I'm not native English.

When I mentioned (SSIS) I mean SQL Server Integration Services packages.

When I mentioned (SA) it is because in the video a mapping of the domain user with the (SA) is demonstrated.

I'm reading documents that explain these functions and so far I haven't seen anyone creating a proxy and mapping it to some internal SQL user such as (SA) or another.

When they explain about the proxy user, they simply ask to create a credential, inform the domain user, password and in the SQL Agent JOB select this credential created for the proxy.

It was probably just an example really, but this step of adding a mapping so far I see very little.

Moving on... I'll write how I understand the process from beginning to end to explain, correct me if I'm wrong.

I understand that this (credential) used in the proxy needs permission to execute this package (database, folder access, etc.). But analyzing the package settings, there is a connection string with an integrated database (Integrated Security=SSPI) with windows and the user and password are also informed in the package. If the string is integrated it would not need this username and password!!!

Continue in the next comment...
Salves 501 Reputation points

2022-01-15T19:20:09.977+00:00

So the question came to me: "This (Failed login for 'domain\hostname$'.".) is because the package is using the SQL Agent local service account to execute the connection string that is inside the package and how is it set to integrated is it using the SQL Agent local service account?

So it will actually generate an error because the database is on the other remote server and this SQL Agent local service account does not have permission on the database.

However, I return to the question of the username and password that is in the connection string that is not having any effect, that is, this is wrong for me when I use an integrated connection.

What I did now and it worked, see: I removed the (Integrated Security=SSPI).

From: Data Source=servername;Initial Catalog=database;Provider=SQLNCLI11.1;Integrated Security=SSPI;Auto Translate=False;

To: Data Source=servername;Initial Catalog=database;Provider=SQLNCLI11.1;Auto Translate=False;

It is now working normally because I understand that SQL Agent is using the username and password that is defined in the connection string.

I read that this error is connection is because the SSIS package was created with a type of Protect Level (EncryptSensitiveWithUserKey) and some articles say to change the protect level (ServerStorage or with Password).

But as I mentioned, I have another SSIS package configured with the (non-integrated) connection string that has the (EncryptSensitiveWithUserKey) working.

Continue in the next comment...
Salves 501 Reputation points

2022-01-15T19:21:02.707+00:00

So Microsoft's explanation that the problem is because the SQL Agent account is not allowed to decrypt the SSIS package (EncryptSensitiveWithUserKey) and to solve this I need to use a proxy account.

In short, I got lost in so much information and thought:

1 - I can use a non-integrated connection string. But what future problems can they generate? Security problem for example?

2 - If I use an integrated connection then I need to create a user that has access (to the database used in the SSIS package, in the local directories and etc.) and used as a proxy account.

What is the best practice to make this work?

Thank you.

Answer 2

I need to start with repeating that I don't know SSIS, so I may be saying things that are incorrect with regards to SSIS. If so, I hope that someone will correct me.

I'm working from the assumption that there is not much difference between running an SSIS package that accesses a remote instance, than running a BAT file that uses SQLCMD to run something on a remote computer. And the latter is something I've done a couple of times. (However, in this scenario there is nothing similar to EncryptSensitiveWithUserKey, so that is a part that I will have to skip.)

Let's say that the .BAT file reads:

SQLCMD -S OTHERSERVER -d somedb -E -i"somesqlscript.sql" -I -b

(Remember that -E stands for integrated security. -I forces QUOTED_IDENTIFIER, and -b is needed so that a failure in the SQL script also signals a failure in the job.)

If you run this as a plain CmdExec job from Agent with no proxy, the connect will be with the service account for SQL Server Agent. If this is a domain account and this account has access to OTHERSERVER connection will succeed. If SQL Server Agent runs under a local machine account, such as NT Service\SQLSERVERAGENT (which often is the case), the access will be made through the domain account for the computer, that is domain\hostname$ as you had in the error message. You can add domain\hostname$ as a login on OTHERSERVER, but as you may guess, it is not good practice security-wise.

One option to address this is to change authentication to SQL authentication:

SQLCMD -S OTHERSERVER -d somedb -U somelogin -P pwd -i"somesqlscript.sql" -I -b

The obvious drawback here is that username and password are stored in cleartext in the .BAT file. This can possibly be handled better with that encrypt option in SSIS, but I still don't really like it. But to some extent that is a matter of taste, and it may be easier for you to create an SQL login than to ask the AD admin to create account to be used for a proxy.

And that is the other option: you ask the AD admin to create Windows login, and then you create a credential that maps to this Windows login and password. And then you create a proxy in Agent that uses this credential, and you set up the job to run as the proxy. (Please see https://www.sommarskog.se/perm-hijack.html#agentjobs for details.)

That Windows login will of course need to have access to OTHERSERVER and somedb. But here is the cool thing: there may already be AD group created for users with access to the database. Then you ask the AD admin to add the Windows user to that AD group, and you are all set. At least as long as the SSIS package does not require elevated permissions.

My preference is certainly for using a proxy with a Windows login, but I cannot deny that there is an element of what works best at your local site.

Salves 501 Reputation points

2022-01-15T20:59:27.2+00:00

Hi @Erland Sommarskog ,

I am very happy to return to the community and know that there are people here who are very patient in sharing their knowledge.

Thank you very much for the clarification.

I understood your explanation very well.

Just to close the issue can you help me with some guidance?

I understood how to create one (credential) and set up a proxy account with that (credential).

But returning to the video is guiding to configure a (mapping) in the user (SA).

What is this mapping in practice?

When I do this mapping, what am I guaranteeing regarding the permissioning?

Thanks.
Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator

2022-01-15T21:41:55.787+00:00

But returning to the video is guiding to configure a (mapping) in the user (SA).

I watched the video, and the part where he configures a mapping is unrelated to SQL Server Agent proxies. But that is certainly not apparent, if you are not familiar with the concepts. So ignore the video up the point where he has scripted the ALTER LOGIN command. The rest of the video is correct and relevant.

What he is talking about in the first part of the video is this: SQL Server permits you to map a login to a credential. I will have to admit that I an unfamiliar with this feature, but looking in Books Online, I see that you can say:

CREATE LOGIN julia WITH PASSWORD = '********', CREDENTIAL = somecred ALTER LOGIN julia WITH CREDENTIAL = someothercred

As I understood the presenter, the idea is that if an SQL login makes an access outside SQL Server, that access will be made through this credential, but he did give any examples. I tried to use this with a linked server, but that did not work out.

Books Online has this to say:

The name of a credential to be mapped to the new SQL Server login. The credential must already exist in the server. Currently this option only links the credential to a login. A credential cannot be mapped to the System Administrator (sa) login.

The next-to-last sentence suggests that there is no actual function at all. And the last sentence? You may note that he never ran the command he generated!
Salves 501 Reputation points

2022-01-15T21:50:05.567+00:00

Hi,

so I don't need to do that, I just create the credential and proxy account to use SQL Agent JOB.

And this credential needs to have access to the database I'm using inside my package, simple as that.

Thanks for your help and patience.
Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator

2022-01-15T21:50:52.803+00:00

Correct.

Share via

Configuring SQL Server Agent proxy account

1 additional answer

Your answer