February 14, 2016 at 8:17 am
Some of our packages need to run out from a DMZ server.
I just want that service there, not the database one.
We did open LDAP ports in the firewall so the DMZ accepts the AD users.
When trying to execute the package remotely, I get a message :
Alter failed for JobStep 'CRM Base Tables'. (Microsoft.SqlServer.Smo)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&ProdVer=11.0.5058.0+((SQL11_PCU_Main).140514-1820+)&EvtSrc=Microsoft.SqlServer.Management.Smo.ExceptionTemplates.FailedOperationExceptionText&EvtID=Alter+JobStep&LinkId=20476
An exception occurred while executing a Transact-SQL statement or batch. (Microsoft.SqlServer.ConnectionInfo)
Proxy (3) is not allowed for subsystem "SSIS" and user "xxx\xxxxxxx". Grant permission by calling sp_grant_proxy_to_subsystem or sp_grant_login_to_proxy. (Microsoft SQL Server, Error: 14516)
I have tried these SPs on the remote server, but I guess I need to do this in the DMZ server. I tried adding permissions in the DCOM, but my IT guy said that shouldn't work (guess what? It didn't).
I am new to such deployments, If you have good tips, please share.
February 14, 2016 at 2:06 pm
When trying to execute the package remotely
Can you clarify your setup please? Where is the Agent job running and how are you trying to invoke the Package on this remote server?
An exception occurred while executing a Transact-SQL statement or batch. (Microsoft.SqlServer.ConnectionInfo)
Proxy (3) is not allowed for subsystem "SSIS" and user "xxx\xxxxxxx". Grant permission by calling sp_grant_proxy_to_subsystem or sp_grant_login_to_proxy. (Microsoft SQL Server, Error: 14516)
This seems like a local config issue. Check the Proxy setup to make sure it has permissions to the SSIS Subsystem.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
February 14, 2016 at 2:44 pm
But why put SSIS in DMZ? SSIS don't serve any content, you dont need to put it in DMZ to connect to any source or destination.
February 15, 2016 at 2:27 am
My security officer decided that accessing cloud CRM should happen from the DMZ. Kind of gives him tight control of information reaching the DB server. The DB server is within the network. I call it only by a limited set of dedicated SPs that I grant permission to.
In the DB server I can define proxy and grant it permission to the local (DB server) SSIS. But to grant the proxy permission to execute the remote SSIS... I just don't have a DB server to run that stored procedure.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply