Home Forums SQL Server 2017 SQL Server 2017 - Development Proxy account not working in stored procedure RE: Proxy account not working in stored procedure

  • May 3, 2018 at 8:02 am

    #1989080

    jack_walker - Thursday, May 3, 2018 7:18 AM

    For the first error you posted before this, you still need to grant execute permissions on xp_cmdshell to the standard user. If you grant execute and do NOT have a proxy, they will get an error. 

    I have set up the credential ##xp_cmdshell_proxy_account## with my own network credentials (to test).  I was under the impression that when the standard SQL Server user tried to execute xp_cmdshell, that SQL Server would use the credentials stored in ##xp_cmdshell_proxy_account## to execute.  Is that not right?

    The proxy account is to allow a non-sysadmin to execute xp_cmdshell. Otherwise you can grant permissions for a non-sysadmin to execute xp_cmdshell and they would not be able to since the are not sysadmins.
    When you execute sp_xp_cmdshell_proxy_account, you don't need to use a sysadmin - the user will connect to windows under the security context of the credentials used for the proxy. And the user needs to have permissions to execute xp_cmdshell to actually invoke the process with the proxy. Once they log on and nothing else, they aren't operating under the security context of the proxy. It's only when they execute xp_cmdshell that the proxy becomes involved and they can't get there if they don't have permissions to execute xp_cmdshell in the first place. This article has a decent walkthrough on creating the proxy:
    Creating a SQL Server proxy account to run xp_cmdshell

    Sue