June 28, 2010 at 10:09 am
Hi All,
I wonder if anyone can help shed some light on an issue i've run into. I'm attempting to call an executable and pass it the 4 parameters below. When the query runs in SQL query analyser it runs continuously, seemingly without end. I've logged onto the server (Windows Server 2008 - MSSQL 2008) as the Admin in an attempt to rule out any permissions issue.
When the string from below is run in a DOS-CMD the process runs perfectly in about 8 seconds
master..xp_cmdshell 'C:\Temp\Temp.exe serverName,databaseName,Source,Output'
Any help would be greatly appreciated. If you need any more info, please let me know
My Apologies if this is in the wrong forum.
Many Thanks
Chris
June 28, 2010 at 10:54 am
Chris Hazeldene (6/28/2010)
I've logged onto the server (Windows Server 2008 - MSSQL 2008) as the Admin in an attempt to rule out any permissions issue.
xp_cmdShell does not use your security context....it's a permissions issue.
this is a common security misconception. The problem is that when you access any resource OUTSIDE of SQL server, like network shares, local hard drives,xp_cmdshell,sp_OA type functions etc, it doesn't matter what YOUR credentials are. Whether you are Domain Admin,Local Admin , logged in as sa, administrative login on a laptop, etc, because SQL will not carry those credentials to the "outside of SQL" security context.
SQL WILL use your credentials for Linked Servers/OPENROWSET/OPENQUERY, but that's pretty much it.
SQL Server uses the account it starts with to try and access the resource:
That account is often an account which has never logged into the domain, and was never assigned permissions to get to the local disk or network share.
As a result, you usually need to create a domain account in Active Directory, specifically grant it share access if it doesn't inherit it from Domain\Users or Domain\AuthenticatedUsers and change the account SQL Server starts with to that account.
Once that is done, and you stop and start the SQL service to make it use that account instead of old running values, your linked server/xp_cmdshell would work.
you can prove this is the issue by simply putting in your credentials, with your domain account and password, and confirm the external object you were trying to access/use works when SQL is run your credentials, so you'd know you need a domain account to access the resource.
run this query to see what context you are really using
DECLARE @Results table(
ID int identity(1,1) NOT NULL,
TheOutput varchar(1000))
insert into @Results (TheOutput)
exec master..xp_cmdshell 'whoami' --nt authority\system for example
insert into @Results (TheOutput)
exec master..xp_cmdshell 'cd %userprofile%' --NULL because nt authority\system is not a user...command fails.
select * from @Results
Lowell
June 29, 2010 at 3:15 am
Thanks for your reply Lowell.
I ran the SQL that you posted + checked the account details that are used to open SQLServer and both were the Admin account. Unless I misunderstood your post (which is entirely possible) does this mean the suggested solution wouldn't solve the problem?
June 29, 2010 at 5:20 am
hmm...rereading your issue, you said it is"SQL query analyser it runs continuously, seemingly without end"...
could your application be raising a pop-up/error message window? so when it is run from QA, maybe with a misspelled parameter or something, it seems to be running forever because the app is waiting for someone to click "OK"?
you have to be carefull calling apps from the command line, because there's no interaction allowed.
Lowell
June 29, 2010 at 10:50 am
Spot on!
I really appreciate your time and help with this. Apologies if my lack of knowledge regarding how SQL interacts with external programs is slowed down our progress towards a solution.
Many thanks
Chris
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply