January 13, 2008 at 4:41 am
I have a SQL Server box and a IIS box. I need to run a stored proc that reads an uploaded file from the IIS box. The stored proc is like this;
DECLARE @xml xml
SELECT @xml=CAST(BulkColumn as xml) FROM OPENROWSET(BULK N'\\IISServer\Data\MyData.xml', SINGLE_BLOB) A;
Problem is that I get "Access denied" reading the MyData.xml when logged on as "sa" user (or any other login I've created). If I log into Managment Studio with Windows Authentication, there is no problem.
So question is how can I give the login the permission to read from the network drive?
Atle
January 13, 2008 at 8:15 am
The user that the SQL Service logs in as, must have permission to "see" the share.
--Jeff Moden
Change is inevitable... Change for the better is not.
January 14, 2008 at 1:41 am
The sql login created by you or for that matter sa would not have access to the network resource. So whenever you run the job you get the access denied error where as the windows login you use must have got access to the netwrok share.
If you want to run the job by sa or any other login then create a credential and associate the sql login to that credential and then you will not get the error.
Else you can use the Execute As option to execute te procedure.
January 14, 2008 at 2:48 am
Thanks!
But it won't work. As a test I created a CREDENTIAL using the Windows server 'administrator' login (that login shoud have all needed permissions I should believe)
CREATE CREDENTIAL AdminCred WITH IDENTITY = 'administrator',
SECRET = 'xxxzxxxxaa';
GO
I added the credential to a SQL login named IIS like this:
ALTER LOGIN IIS WITH CREDENTIAL = AdminCred;
If I log on SQL Server as IIS I still get "Access is denied". Can you see what I might have done wrong?
Atle
January 14, 2008 at 5:54 am
Heh... lemme say it again...
The user that the SQL Service logs in as, must have permission to "see" the share.
--Jeff Moden
Change is inevitable... Change for the better is not.
January 14, 2008 at 8:22 am
Yes. That did the trick, Thanks Jeff!
Sorry I didn't check out your post good enought. Second try - it worked.
Atle
January 14, 2008 at 4:16 pm
Perfect... thanks for taking the time to post your feedback!
--Jeff Moden
Change is inevitable... Change for the better is not.
January 14, 2008 at 9:55 pm
I am still pretty old school in regards to my SQL sevice account accessing file resources.
Now of course every environment is different, but I have seen way to much access given to the SQL Service account at the network level in recent years. I mostly blame ease of use of the sql client, but this is a big security problem in my opinion.
This is not pointed at the poster but a general observation.
Viewing 8 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply