Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

CMDExec Proxy account not working with Domain Service Account... Expand / Collapse
Author
Message
Posted Wednesday, April 17, 2013 7:17 AM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Yesterday @ 1:18 PM
Points: 902, Visits: 4,431
I'm working on migrating an existing Server 2003 / SQL 2005 system to Server 2008 R2 / SQL 2008 R2, and am having some problems getting a proxy account to work. The account is needed to execute some OS operations, NOT to affect DBs on the server. Things like unzipping files that are recieved to a particular folder and deleting the files when done.

The SQL Agent is running using a domain account for this purpose. There's also a domain-level account for the proxy account.

I've added the Proxy account to the SQL Logins, created a Credential for it, then created the Proxy in Agent. I've granted the appropriate users access to the Proxy (the "Principals" section), and assigned the proxy to execute a step in a test job (dir e:\)

Now, the problem.
It fails.
If I run the step using the Agent account, it works. If I set the Agent to use the "Network Service" account and the proxy, it works. If I set the Agent to use the domain account and the job to use the proxy account, it fails with:
"Executed as user: domain\svcaccount. The process could not be created for step 1 of job 0x2E0030DE6B7C444E8C0E4759A405B8E5 (reason: A required privilege is not held by the client). The step failed"

I have verified the proxy account does have access to the E:\ drive by running a command prompt as the account. I also "cloned" the local group membership for the proxy from the Server 2003 system, so it belongs to the local Admins account.
I've looked through the Windows Security log, and it shows it to be logging in OK. I see a logon event with a subject account name of the Agent service account, and a new logon security ID of the Proxy account. So it seems the impersonation is working...

Any thoughts?
Post #1443249
Posted Wednesday, April 17, 2013 9:58 AM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Yesterday @ 1:18 PM
Points: 902, Visits: 4,431
Further note on this:
I tried logging into the server as the Proxy account, and was able to log in with no issues, copy a file, etc.

So the account does have the rights.

It seems that the problem is after the Agent account impersonates that things go south...

I'm starting to think about removing SQL and reloading, as the only thing that *MIGHT* be a factor is I didn't have the domain Agent service account during the initial setup. But I did switch the service account (with SQL Config Manager) once I got it.

Help, please?

Thanks,
Jason
Post #1443352
Posted Wednesday, April 17, 2013 12:52 PM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Yesterday @ 1:18 PM
Points: 902, Visits: 4,431
I may have found the solution to this...

It seems the SQL Agent Service Account may need the "Replace a Process Level Token" right. Seeing as the domain is locked down, I've requested they "clone" the GPOs that are applying to the existing (working) system to the new system. Failing that, I'll ask them to configure a GPO to do this.

Further updates (and hoepfully the solution) as the situation warrants.


Jason
Post #1443450
Posted Monday, April 22, 2013 3:30 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Monday, April 14, 2014 3:21 AM
Points: 2,797, Visits: 3,079
This link may give some useful details about proxy accounts, but it does assume that the SQL Agent service account is already set up with the required rights... http://sqlserverfinebuild.codeplex.com/wikipage?title=SQL%20Server%20Proxy%20Accounts

Original author: SQL Server FineBuild 1-click install and best practice configuration of SQL Server 2014, 2012, 2008 R2, 2008 and 2005. 25 March 2014: now over 28,000 downloads.
Disclaimer: All information provided is a personal opinion that may not match reality.
Concept: "Pizza Apartheid" - the discrimination that separates those who earn enough in one day to buy a pizza if they want one, from those who can not.
Post #1444905
Posted Friday, October 18, 2013 2:37 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Tuesday, April 01, 2014 9:13 AM
Points: 6, Visits: 85
jasona.work (4/17/2013)
I may have found the solution to this...

It seems the SQL Agent Service Account may need the "Replace a Process Level Token" right. Seeing as the domain is locked down, I've requested they "clone" the GPOs that are applying to the existing (working) system to the new system. Failing that, I'll ask them to configure a GPO to do this.

Further updates (and hoepfully the solution) as the situation warrants.


Jason


Thanks a lot for sharing!!! It lead me to the problem - we have a default server GPO that restricts that user rights assignment to LOCAL SERVICE and NETWORK SERVICE - once overrode that everything worked as expected. Thanks again!
Post #1506021
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse