Credentials and Proxies: Getting Started

, 2015-08-04

If you’ve been a DBA for more than a day, you probably have a pretty good idea of what a login is.  However, did you know that you can access resources outside of SQL Server without granting the login permissions everywhere, and also run job steps under accounts that don’t have SQL Server access?  Say hello to credentials and proxies.

Credentials allow SQL Server to access servers, shares, and other external resources when the SQL Server login accessing those resources doesn’t have explicit permission to do so.  A credential object is created that stores the necessary user name and password information, and then a SQL Server login can be mapped to the credential.  This even works with SQL Server authentication!

Proxies allow a SQL Server Agent job to run under a credential that has access to do it’s business, even if the account doesn’t have SQL Server access.  Lets walk through an example of creating a credential that a proxy can then make use of.

Football season is around the corner, and I’m feeling a Packers themed credential.  ‘AaronRodgers’ is a domain user with permissions to my Windows server, but not my SQL Server.

USE master
CREATE CREDENTIAL ExampleCredential WITH IDENTITY = 'KREUL01\AaronRodgers', 
SECRET = 'Lambeau12';

Now we add a proxy that is mapped to the credential we just created.

USE msdb
EXEC dbo.sp_add_proxy
    @proxy_name = 'ExampleProxy',
    @enabled = 1,
    @description = 'Powershell Proxy',
    @credential_name = 'ExampleCredential' ;

Once this proxy is added, it will appear in the ‘Unassigned Proxies’ folder under SQL Server Agent.  Right click on the proxy, then select ‘Properties’, and select the subsystems you want to map the proxy to.  Note that running T-SQL is not an option here, as those jobs must run under a database login.  I chose Powershell for this example.



Now, when you add a job step in a SQL Server Agent job and select a subsystem you assigned the proxy to,  you’ll be able to run the step as the proxy instead of the SQL Server Agent account.  Hooray for limited exposure!






Related content

Database Mirroring FAQ: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup?

Question: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? This question was sent to me via email. My reply follows. Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? Databases to be mirrored are currently running on 2005 SQL instances but will be upgraded to 2008 SQL in the near future.


1,567 reads

Networking - Part 4

You may want to read Part 1 , Part 2 , and Part 3 before continuing. This time around I'd like to talk about social networking. We'll start with social networking. Facebook, MySpace, and Twitter are all good examples of using technology to let...


1,530 reads

Speaking at Community Events - More Thoughts

Last week I posted Speaking at Community Events - Time to Raise the Bar?, a first cut at talking about to what degree we should require experience for speakers at events like SQLSaturday as well as when it might be appropriate to add additional focus/limitations on the presentations that are accepted. I've got a few more thoughts on the topic this week, and I look forward to your comments.


360 reads