Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase «««1234»»

Using a Certificate Signed Stored Procedure to Execute sp_send_dbmail Expand / Collapse
Author
Message
Posted Monday, January 18, 2010 5:33 AM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Today @ 6:55 AM
Points: 2,366, Visits: 1,845
Great article and here comes another dumb question!

After signing the procedure with certificate can the procedure be executed only by the login/user created from the certificate? Can other users execute the procedure.


"Keep Trying"
Post #849098
Posted Friday, January 22, 2010 5:33 AM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Today @ 6:55 AM
Points: 2,366, Visits: 1,845
Hi anyone there!!

"Keep Trying"
Post #851933
Posted Friday, January 22, 2010 9:58 PM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Monday, June 23, 2014 11:55 AM
Points: 1,708, Visits: 1,792
ChiragNS (1/18/2010)
Great article and here comes another dumb question!

After signing the procedure with certificate can the procedure be executed only by the login/user created from the certificate? Can other users execute the procedure.


No, you can GRANT EXECUTE on the stored procedure that is signed by the certificate to any database user. That's the point behind using the certificate signed stored procedure to grant access. The users don't have to have elevated rights, they only need the ability to EXECUTE the signed stored procedure, or a parent procedure in the ownership chain.


Jonathan Kehayias | Principal Consultant | MCM: SQL Server 2008
My Blog | Twitter | MVP Profile
Training | Consulting | Become a SQLskills Insider
Troubleshooting SQL Server: A Guide for Accidental DBAs
Post #852452
Posted Friday, January 22, 2010 10:00 PM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Monday, June 23, 2014 11:55 AM
Points: 1,708, Visits: 1,792
FreeHansje (1/18/2010)
Jonathan,
I wish to say thanks again. I must have done something wrong, different then you describe in your solution. I could have sworn I used the same construction to test permission on the DMV's, but could not get it working. But as I said, I must have donw something different, and since there is no1 at my current position with the knowledge to talk this over I could not pinpoint the error.
Also tnx for showing that my initial 'solution' did not work. With your suggestion I can get things working.

Tnx again, I have learned a lot today.


Did you figure your problem out? If not, DM me or shoot me a contact through my blog on SQLBlog and I'll see if I can help you troubleshoot the issue further.


Jonathan Kehayias | Principal Consultant | MCM: SQL Server 2008
My Blog | Twitter | MVP Profile
Training | Consulting | Become a SQLskills Insider
Troubleshooting SQL Server: A Guide for Accidental DBAs
Post #852453
Posted Monday, January 25, 2010 5:07 AM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Today @ 6:55 AM
Points: 2,366, Visits: 1,845
Jonathan Kehayias (1/22/2010)
ChiragNS (1/18/2010)
Great article and here comes another dumb question!

After signing the procedure with certificate can the procedure be executed only by the login/user created from the certificate? Can other users execute the procedure.


No, you can GRANT EXECUTE on the stored procedure that is signed by the certificate to any database user. That's the point behind using the certificate signed stored procedure to grant access. The users don't have to have elevated rights, they only need the ability to EXECUTE the signed stored procedure, or a parent procedure in the ownership chain.


Thank you.


"Keep Trying"
Post #852927
Posted Thursday, March 25, 2010 9:08 AM
SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Thursday, August 28, 2014 8:50 AM
Points: 1,614, Visits: 894
Brilliant article.

Only one thing which is a bit of a shame - this only works if the SP is execute as owner, not if it's execute as caller.

As a result, if you look in msdb.dbo.sysmail_allitems, all items sent with this method say they were sent by sa. Also it's allowed to send using private profiles to which nobody has been granted access.

If you send the mail by adding the user to the msdb role instead, then msdb.dbo.sysmail_allitems details the correct sender.

DatabaseMail is great, but the permissions are a real struggle. In addition to the sp_send_dbmail permission problem, it's hard to get the permissions sorted out for private profiles. All the documentation says that you can grant permissions on private profiles to database roles in msdb, but in actual fact it won't let you do this.

Rachel.
Post #889899
Posted Wednesday, June 2, 2010 5:34 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Thursday, December 6, 2012 8:30 AM
Points: 879, Visits: 810
Another question, I'm stupified by the following:

I wish to allow non-sa users to run a bcp string with xp_cmdshell. The option to use this XP is by default turned off. I can get these non-sa users to run the xp_cmdshell, it's the turning on and off of the configuration which I cannot resolve.

What I'm looking at is a SP like this:

CREATE PROCEDURE testSP1
BEGIN
EXEC SP_CONFIGURE 'xp_cmdshell', 1;
RECONFIGURE WITH OVERRIDE;

EXEC XP_CMDSHELL 'DIR c:\' -- some VBCP command, but for a simple example...

EXEC SP_CONFIGURE 'xp_cmdshell', 0;
RECONFIGURE WITH OVERRIDE;
END
GO

I have tried constructions with EXECUTE AS and Certificates, but sofar nada. Scoured the Internet, no example specifically on permissions on SP_CONFIGURE.
Any suggestions?



Greetz,
Hans Brouwer
Post #931261
Posted Wednesday, March 30, 2011 7:12 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Monday, March 31, 2014 6:52 AM
Points: 259, Visits: 682
I have created a stored procedure in the msdb that will basically start a job and wait for completion. I have implemented the certificate signed stored procedure in one database successfully, but would now like to incorporate it into a second database. I was thinking I would be able to use the same certificate to make this happen (create in second database from file).

This does not seem to be the case though. Doing a select on sys.certificates in the second database shows NA for pvt_key_encryption_type and NO_PRIVATE_KEY for pvt_key_encryption_type_desc. I receive the following error when trying to sign the stored procedure in the second database from this certificate

Msg 15556, Level 16, State 1, Line 1
Cannot decrypt or encrypt using the specified certificate, either because it has no private key or because the password provided for the private key is incorrect.


I was wondering if this is possible. And if so if there are any reasons not to do this.

I could see this expanding to other databases in the future and would like to use one certificate (since everything will be targeting the same stored procedure in the msdb database) instead of having to create numerous certificates, logins, users, etc.

Any advise/information is much appreciated.
Thanks,
Sam
Post #1086193
Posted Tuesday, April 26, 2011 8:21 PM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Monday, June 23, 2014 11:55 AM
Points: 1,708, Visits: 1,792
ssb-402814 (3/30/2011)
I have created a stored procedure in the msdb that will basically start a job and wait for completion. I have implemented the certificate signed stored procedure in one database successfully, but would now like to incorporate it into a second database. I was thinking I would be able to use the same certificate to make this happen (create in second database from file).

This does not seem to be the case though. Doing a select on sys.certificates in the second database shows NA for pvt_key_encryption_type and NO_PRIVATE_KEY for pvt_key_encryption_type_desc. I receive the following error when trying to sign the stored procedure in the second database from this certificate

Msg 15556, Level 16, State 1, Line 1
Cannot decrypt or encrypt using the specified certificate, either because it has no private key or because the password provided for the private key is incorrect.


I was wondering if this is possible. And if so if there are any reasons not to do this.

I could see this expanding to other databases in the future and would like to use one certificate (since everything will be targeting the same stored procedure in the msdb database) instead of having to create numerous certificates, logins, users, etc.

Any advise/information is much appreciated.
Thanks,
Sam


Sam,

While you and I have passed emails to resolve the problem, I wanted to post an update here in the comments as well so that anyone else encountering this issue has the reference to how to resolve it. I posted a blog post that details the problem with a repro and then shows how to fix the issue by backing up the private key for the certificate when the certificate is backed up so that the private key can be created with the certificate from the backup files in the new database.

Certificate Signing Stored Procedures in Multiple Databases


Jonathan Kehayias | Principal Consultant | MCM: SQL Server 2008
My Blog | Twitter | MVP Profile
Training | Consulting | Become a SQLskills Insider
Troubleshooting SQL Server: A Guide for Accidental DBAs
Post #1099169
Posted Monday, July 16, 2012 8:45 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Tuesday, August 7, 2012 5:40 AM
Points: 8, Visits: 29
Excellent article.

I was having a permission denied on db_mail when sending a email from a sp that was being executed by Service Broker, and this was despite the user who was was executing existing in msdb.DatabaseMailUserRole and set trustworthy was on.

Ran through the article, created the certificate and assigned it .... success.

ty

Murtagh
Post #1330168
« Prev Topic | Next Topic »

Add to briefcase «««1234»»

Permissions Expand / Collapse