Have you ever had to run a job in SQL Server Agent and needed it to run with different permissions than the login that runs SQL Agent? I have come across this a few times. Most recently, I was trying to run a SSIS Package as a SQL Agent Job and one step of the job was trying to launch WinSCP as part of an “Execute Process Task”. The task was able to run and could launch WinSCP but it was running with the credentials as the SQL Agent Service.
The problem with that was that WinSCP stored their sessions in the registry as part of HKey\Current_User. So, when the job launched using the SQL Agent Service Account, it could not access the values in the registry because it didn’t have the stored session in its hive.
Now, I know there are a few ways to fix this issue but I wanted to choose setting up a SQL Proxy. A SQL Server Agent proxy gives the SQL Server Agent access to the security credentials for a Microsoft Windows User, which is to say it allows the Agent to impersonate a user when it runs that step of the job.
There are a few steps to using a Proxy. First you need to set up Credentials in SQL Server Management Studio. A credential is a record that contains the authentication information for connecting to resources outside of SQL.
Usually credentials consist of a Windows login name and password.
Here are the steps to create a credential.
In SSMS Object Explorer open the Security folder and right click on Credentials and choose “New Credential.
Once you open the New Credential window you are given the option to Name the credential. This can be anything you want to call it. Its for your reference. Choose something that will make sense to you.
Then in the Identity field type the name of the account you are going to use. I used a domain account so when I filled it in I put the format DOMAIN\UserName.
Then I typed the password and typed it again to confirm and clicked OK.
Now you are ready to use these credentials in creating a Proxy.
In Object Explorer scroll down to the “SQL Server Agent” and expand the folder.
Then go to Proxies. In my example I need to be able to run command line applications so I choose the “Operating System (CmdExec) Proxy.
Right click on the proxy you want to use and choose “New Proxy”.
Once again you are given a window where you enter the name, and description for the new proxy. Then you select the “Credential name” by clicking on the three dots.
After that you just select the options for what this proxy is allow to access. A good explanation of what each subsystem is can be found here http://msdn.microsoft.com/en-us/library/ms187100(v=sql.105).aspx
Once you have clicked OK you should now be able to use the Proxy in your SQL Agent Job.
Just go to the pull down for “Run As:” and select your new Proxy.
That is all there is to it. Now your SQL Agent Job will run that step using the credentials you’ve supplied.
Filed under: SQL Server Tagged: enterprise-it, security credentials, server agent
