SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

Credentials and Proxies: Getting Started

If you’ve been a DBA for more than a day, you probably have a pretty good idea of what a login is.  However, did you know that you can access resources outside of SQL Server without granting the login permissions everywhere, and also run job steps under accounts that don’t have SQL Server access?  Say hello to credentials and proxies.

Credentials allow SQL Server to access servers, shares, and other external resources when the SQL Server login accessing those resources doesn’t have explicit permission to do so.  A credential object is created that stores the necessary user name and password information, and then a SQL Server login can be mapped to the credential.  This even works with SQL Server authentication!

Proxies allow a SQL Server Agent job to run under a credential that has access to do it’s business, even if the account doesn’t have SQL Server access.  Lets walk through an example of creating a credential that a proxy can then make use of.

Football season is around the corner, and I’m feeling a Packers themed credential.  ‘AaronRodgers’ is a domain user with permissions to my Windows server, but not my SQL Server.

USE master
CREATE CREDENTIAL ExampleCredential WITH IDENTITY = 'KREUL01\AaronRodgers', 
SECRET = 'Lambeau12';

Now we add a proxy that is mapped to the credential we just created.

USE msdb

EXEC dbo.sp_add_proxy
    @proxy_name = 'ExampleProxy',
    @enabled = 1,
    @description = 'Powershell Proxy',
    @credential_name = 'ExampleCredential' ;

Once this proxy is added, it will appear in the ‘Unassigned Proxies’ folder under SQL Server Agent.  Right click on the proxy, then select ‘Properties’, and select the subsystems you want to map the proxy to.  Note that running T-SQL is not an option here, as those jobs must run under a database login.  I chose Powershell for this example.



Now, when you add a job step in a SQL Server Agent job and select a subsystem you assigned the proxy to,  you’ll be able to run the step as the proxy instead of the SQL Server Agent account.  Hooray for limited exposure!


Adam Kreul | Blog

I am currently a Senior DBA for Integrys Energy Services in Green Bay, WI. I’ve been a DBA since 2008 and have worked primarily with SQL Server versions 2005 and above supporting databases as large as 6TB.

Although my title says “DBA”, I also play the role of SAN administrator and data warehouse developer. I love learning and applying new technology and have a passion for making the environment I support as fast as possible. My blog is syndicated from www.adamkreul.com and you can follow me on Twitter at @AdamKreul.


Leave a comment on the original post [www.adamkreul.com, opens in a new window]

Loading comments...