Using a Different Windows Account for Invoke-Sqlcmdsecurely exposing sql server 2008 for windows...
Where was Karl Mordo in Infinity War?
How to properly claim credit for peer review?
Does music exist in Panem? And if so, what kinds of music?
Can this function be rewritten with a regex?
Are small insurances worth it
How do I construct an nxn matrix?
What is the wife of a henpecked husband called?
Is there a frame of reference in which I was born before I was conceived?
Six real numbers so that product of any five is the sixth one
Significance and timing of "mux scans"
Replacement ford fiesta radiator has extra hose
How can atoms be electrically neutral when there is a difference in the positions of the charges?
How to tighten battery clamp?
It took me a lot of time to make this, pls like. (YouTube Comments #1)
Find the next monthly expiration date
Pure Functions: Does "No Side Effects" Imply "Always Same Output, Given Same Input"?
Auto Insert date into Notepad
Why do members of Congress in committee hearings ask witnesses the same question multiple times?
Skis versus snow shoes - when to choose which for travelling the backcountry?
Has the Isbell–Freyd criterion ever been used to check that a category is concretisable?
Logistics of a hovering watercraft in a fantasy setting
Can I become debt free or should I file for bankruptcy? How do I manage my debt and finances?
Casually inserting sexuality
Is my plan for fixing my water heater leak bad?
Using a Different Windows Account for Invoke-Sqlcmd
securely exposing sql server 2008 for windows authenticationAlways being logged in as SA and not Windows accountEncrypted Connection on Sql ServerPostgres and Windows AD using windows authenticationRunning sp_AskBrent with @ExpertMode = 1 in PowerShellHow to find the 'Instance ID' for PowerShell Invoke-TroubleshootingPack?In SQL Server and using only client side encryption requests, can I use a different certificate for each client?Switch Between Windows Authenticated Users On Single Windows AccountI want Powershell's invoke-sqlcmd to ignore SQL execution errorsHow can I use Invoke-SqlCmd with variables to output the SQL command only or some similar method?
I'm attempting to make a Powershell script that needs to interact with SQL Server, so part of the script will involve invoke-sqlcmd. However, the script can't be scheduled as a job in SQL Server and thus make use of the Agent to act as the Windows account used for authentication. Instead, it is going to be run using a different service under an arbitrary Windows account. The documentation for invoke-sqlcmd states that the -Username and -Password parameters are for SQL Server authentication, not Windows, and that it defaults to using the Windows account that is running the script for authentication if no SQL Server parameters are provided.
Is there any way to allow invoke-sqlcmd to use an arbitrary Windows account for authentication instead of the one it's being run under? I am aware that a possible solution would be to make accounts on the SQL Server instances that I want to run the script for and just use the SQL Server authentication option on the command, but I would ideally not want to have to do that. Some other research has also shown that a certificate could be an option to pursue, but I don't think that invoke-sqlcmd can take in certificates or otherwise utilize them like suggested. I could be wrong here though.
sql-server windows authentication powershell
asked Dec 30 '15 at 20:52
Dylan BaconDylan Bacon
1421211
add a comment |
I'm attempting to make a Powershell script that needs to interact with SQL Server, so part of the script will involve invoke-sqlcmd. However, the script can't be scheduled as a job in SQL Server and thus make use of the Agent to act as the Windows account used for authentication. Instead, it is going to be run using a different service under an arbitrary Windows account. The documentation for invoke-sqlcmd states that the -Username and -Password parameters are for SQL Server authentication, not Windows, and that it defaults to using the Windows account that is running the script for authentication if no SQL Server parameters are provided.
Is there any way to allow invoke-sqlcmd to use an arbitrary Windows account for authentication instead of the one it's being run under? I am aware that a possible solution would be to make accounts on the SQL Server instances that I want to run the script for and just use the SQL Server authentication option on the command, but I would ideally not want to have to do that. Some other research has also shown that a certificate could be an option to pursue, but I don't think that invoke-sqlcmd can take in certificates or otherwise utilize them like suggested. I could be wrong here though.
sql-server windows authentication powershell
asked Dec 30 '15 at 20:52
Dylan BaconDylan Bacon
1421211
1
Check this answer for one possible way to use Impersonation to log onto a remote server.
– Max Vernon
Dec 30 '15 at 21:07
I use that method all the time to connect my SSMS on my local machine to my client's SQL Server. Great for "authenticating". Still relies on keeping a password in an encrypted file/store or in plain text somewhere if you want to use it in an automated fashion.
– Jonathan Fite
Dec 30 '15 at 21:12
I'll investigate that as well as a possible solution. Thank you.
– Dylan Bacon
Dec 30 '15 at 21:14
@DylanBacon, I wouldn't go down that route, if you are going to launch a new thread with a different domain credential you can already do that without using the NETONLY methods, it just adds complexity. I find it useful when I'm crossing domains that don't trust each other (as from my company laptop to a customer's SQL Server).
– Jonathan Fite
Dec 30 '15 at 21:17
1
FYI, this is the command. runas /user:DOMAINAccount /netonly "C:Program Files (x86)Microsoft SQL Server110ToolsBinnManagementStudiossms.exe" it then prompts for the password for the account you specified.
– Jonathan Fite
Dec 30 '15 at 21:21
add a comment |
I'm attempting to make a Powershell script that needs to interact with SQL Server, so part of the script will involve invoke-sqlcmd. However, the script can't be scheduled as a job in SQL Server and thus make use of the Agent to act as the Windows account used for authentication. Instead, it is going to be run using a different service under an arbitrary Windows account. The documentation for invoke-sqlcmd states that the -Username and -Password parameters are for SQL Server authentication, not Windows, and that it defaults to using the Windows account that is running the script for authentication if no SQL Server parameters are provided.
Is there any way to allow invoke-sqlcmd to use an arbitrary Windows account for authentication instead of the one it's being run under? I am aware that a possible solution would be to make accounts on the SQL Server instances that I want to run the script for and just use the SQL Server authentication option on the command, but I would ideally not want to have to do that. Some other research has also shown that a certificate could be an option to pursue, but I don't think that invoke-sqlcmd can take in certificates or otherwise utilize them like suggested. I could be wrong here though.
sql-server windows authentication powershell
asked Dec 30 '15 at 20:52
Dylan BaconDylan Bacon
1421211
I'm attempting to make a Powershell script that needs to interact with SQL Server, so part of the script will involve invoke-sqlcmd. However, the script can't be scheduled as a job in SQL Server and thus make use of the Agent to act as the Windows account used for authentication. Instead, it is going to be run using a different service under an arbitrary Windows account. The documentation for invoke-sqlcmd states that the -Username and -Password parameters are for SQL Server authentication, not Windows, and that it defaults to using the Windows account that is running the script for authentication if no SQL Server parameters are provided.
Is there any way to allow invoke-sqlcmd to use an arbitrary Windows account for authentication instead of the one it's being run under? I am aware that a possible solution would be to make accounts on the SQL Server instances that I want to run the script for and just use the SQL Server authentication option on the command, but I would ideally not want to have to do that. Some other research has also shown that a certificate could be an option to pursue, but I don't think that invoke-sqlcmd can take in certificates or otherwise utilize them like suggested. I could be wrong here though.
sql-server windows authentication powershell
sql-server windows authentication powershell
asked Dec 30 '15 at 20:52
Dylan BaconDylan Bacon
1421211
asked Dec 30 '15 at 20:52
Dylan BaconDylan Bacon
1421211
asked Dec 30 '15 at 20:52
Dylan BaconDylan Bacon
1421211
asked Dec 30 '15 at 20:52
Dylan BaconDylan Bacon
1421211
asked Dec 30 '15 at 20:52
Dylan BaconDylan Bacon
1421211
1421211
1
Check this answer for one possible way to use Impersonation to log onto a remote server.
– Max Vernon
Dec 30 '15 at 21:07
I use that method all the time to connect my SSMS on my local machine to my client's SQL Server. Great for "authenticating". Still relies on keeping a password in an encrypted file/store or in plain text somewhere if you want to use it in an automated fashion.
– Jonathan Fite
Dec 30 '15 at 21:12
I'll investigate that as well as a possible solution. Thank you.
– Dylan Bacon
Dec 30 '15 at 21:14
@DylanBacon, I wouldn't go down that route, if you are going to launch a new thread with a different domain credential you can already do that without using the NETONLY methods, it just adds complexity. I find it useful when I'm crossing domains that don't trust each other (as from my company laptop to a customer's SQL Server).
– Jonathan Fite
Dec 30 '15 at 21:17
1
FYI, this is the command. runas /user:DOMAINAccount /netonly "C:Program Files (x86)Microsoft SQL Server110ToolsBinnManagementStudiossms.exe" it then prompts for the password for the account you specified.
– Jonathan Fite
Dec 30 '15 at 21:21
add a comment |
1
Check this answer for one possible way to use Impersonation to log onto a remote server.
– Max Vernon
Dec 30 '15 at 21:07
I use that method all the time to connect my SSMS on my local machine to my client's SQL Server. Great for "authenticating". Still relies on keeping a password in an encrypted file/store or in plain text somewhere if you want to use it in an automated fashion.
– Jonathan Fite
Dec 30 '15 at 21:12
I'll investigate that as well as a possible solution. Thank you.
– Dylan Bacon
Dec 30 '15 at 21:14
@DylanBacon, I wouldn't go down that route, if you are going to launch a new thread with a different domain credential you can already do that without using the NETONLY methods, it just adds complexity. I find it useful when I'm crossing domains that don't trust each other (as from my company laptop to a customer's SQL Server).
– Jonathan Fite
Dec 30 '15 at 21:17
1
FYI, this is the command. runas /user:DOMAINAccount /netonly "C:Program Files (x86)Microsoft SQL Server110ToolsBinnManagementStudiossms.exe" it then prompts for the password for the account you specified.
– Jonathan Fite
Dec 30 '15 at 21:21
1
1
Check this answer for one possible way to use Impersonation to log onto a remote server.
– Max Vernon
Dec 30 '15 at 21:07
Check this answer for one possible way to use Impersonation to log onto a remote server.
– Max Vernon
Dec 30 '15 at 21:07
I use that method all the time to connect my SSMS on my local machine to my client's SQL Server. Great for "authenticating". Still relies on keeping a password in an encrypted file/store or in plain text somewhere if you want to use it in an automated fashion.
– Jonathan Fite
Dec 30 '15 at 21:12
I use that method all the time to connect my SSMS on my local machine to my client's SQL Server. Great for "authenticating". Still relies on keeping a password in an encrypted file/store or in plain text somewhere if you want to use it in an automated fashion.
– Jonathan Fite
Dec 30 '15 at 21:12
I'll investigate that as well as a possible solution. Thank you.
– Dylan Bacon
Dec 30 '15 at 21:14
I'll investigate that as well as a possible solution. Thank you.
– Dylan Bacon
Dec 30 '15 at 21:14
@DylanBacon, I wouldn't go down that route, if you are going to launch a new thread with a different domain credential you can already do that without using the NETONLY methods, it just adds complexity. I find it useful when I'm crossing domains that don't trust each other (as from my company laptop to a customer's SQL Server).
– Jonathan Fite
Dec 30 '15 at 21:17
@DylanBacon, I wouldn't go down that route, if you are going to launch a new thread with a different domain credential you can already do that without using the NETONLY methods, it just adds complexity. I find it useful when I'm crossing domains that don't trust each other (as from my company laptop to a customer's SQL Server).
– Jonathan Fite
Dec 30 '15 at 21:17
1
1
FYI, this is the command. runas /user:DOMAINAccount /netonly "C:Program Files (x86)Microsoft SQL Server110ToolsBinnManagementStudiossms.exe" it then prompts for the password for the account you specified.
– Jonathan Fite
Dec 30 '15 at 21:21
FYI, this is the command. runas /user:DOMAINAccount /netonly "C:Program Files (x86)Microsoft SQL Server110ToolsBinnManagementStudiossms.exe" it then prompts for the password for the account you specified.
– Jonathan Fite
Dec 30 '15 at 21:21
add a comment |
2 Answers
2
active
oldest
votes
You could grant the account that is going to run the job the necessary permissions onto the SQL Server to run the query. That would be the easiest. If you are going to use Task Scheduler, it even gives a method for specifying the account to use.
The next best would be to use SQL Authentication.
Finally, you can use PowerShell to invoke a new thread to run under a different windows account, that thread then to use Invoke-sql. However, the password then needs to be stored somewhere somehow (usually encrypted in a file). This is not the best solution and not one that I would recommend using.
answered Dec 30 '15 at 21:02
Jonathan FiteJonathan Fite
4,088818
I should have specified that I'm in an enterprise environment where 'permissions' are a carefully guarded and taped thing, but I will agree that it would be the easiest solution if possible.
– Dylan Bacon
Dec 30 '15 at 21:05
Unfortunately, there isn't much wriggle room on this. The thread has to somehow get authenticated as the desired windows account and there are only a few ways to do that, and most don't store the password securely. Is there a reason they don't want to run the job from SQL Agent? You could setup proxy accounts fairly easily to limit permissions.
– Jonathan Fite
Dec 30 '15 at 21:08
Hah, more along the lines of 'red tape'. Worries about SQL Server account vulnerabilities are the main reason we are trying to avoid them, I believe. But if forcing a form of Windows authentication is circumventing security in other ways (As most solutions seem to need), then the SQL authentication is probably the lesser of evils. Either way, this answer offers suggestions enough that I'll accept it.
– Dylan Bacon
Dec 30 '15 at 21:12
1
Probably best to have a windows account created for this task and then have the task scheduler run the job using those credentials. Then give that windows account just the permissions it needs to get the job done. It's a bit of a pain but probably fits in their security review models better than turning on SQL authentication if they are already against it.
– Jonathan Fite
Dec 30 '15 at 21:19
add a comment |
An alternative, I created a wrapper for Invoke-Sqlcmd for my libraries to use which makes use of Start-Job:
function Invoke-InternalSqlcmd {
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)][string] $Query,
[Parameter(Mandatory=$true)][string] $Database,
[Parameter(Mandatory=$false)][System.Management.Automation.PSCredential] $Credential
)
if (-not $Credential) {
return Invoke-SqlCmd -Query $Query -Database $Database
}
else {
$ScriptBlock = {
param($Query,$Database)
$ErrorActionPreference = 'Stop';
return @{ Result = Invoke-SqlCmd -Query $Query -Database $Database }
}
$Job = Start-Job -Credential $Credential -ScriptBlock $ScriptBlock -ArgumentList $Query,$Database
$JobResult = Wait-Job $Job;
if ($JobResult.State -eq 'Completed') {
return (Receive-Job $Job).Result
}
throw [Exception]::new("Error occurred while executing sql as $($Credential.UserName) $([System.Environment]::NewLine)$($JobResult.ChildJobs[0].JobStateInfo.Reason)", $JobResult.ChildJobs[0].JobStateInfo.Reason)
}
}
Pros
- Works!
- Does not use WinRM
- Returns the exact result that
Invoke-Sqlcmdreturns - Returns errors
Cons
- Running PS jobs has a nasty overhead. Anywhere between 2-10 seconds. This might not be a big deal but it depends on how long the code you are executing will run.
- Doesn't respect
ErrorActionPreferenceand will always throw on error. Can be fixed if needed.
I am running in a locked down environment that does not have access to WinRM, and my tasks are long running so this suits my needs. If you want better performance then you could easily replace the job code with Runspaces, as long as you are happy to use WinRM.
answered 5 mins ago
elexiselexis
1012
New contributor
elexis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "182"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f124891%2fusing-a-different-windows-account-for-invoke-sqlcmd%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
You could grant the account that is going to run the job the necessary permissions onto the SQL Server to run the query. That would be the easiest. If you are going to use Task Scheduler, it even gives a method for specifying the account to use.
The next best would be to use SQL Authentication.
Finally, you can use PowerShell to invoke a new thread to run under a different windows account, that thread then to use Invoke-sql. However, the password then needs to be stored somewhere somehow (usually encrypted in a file). This is not the best solution and not one that I would recommend using.
answered Dec 30 '15 at 21:02
Jonathan FiteJonathan Fite
4,088818
I should have specified that I'm in an enterprise environment where 'permissions' are a carefully guarded and taped thing, but I will agree that it would be the easiest solution if possible.
– Dylan Bacon
Dec 30 '15 at 21:05
Unfortunately, there isn't much wriggle room on this. The thread has to somehow get authenticated as the desired windows account and there are only a few ways to do that, and most don't store the password securely. Is there a reason they don't want to run the job from SQL Agent? You could setup proxy accounts fairly easily to limit permissions.
– Jonathan Fite
Dec 30 '15 at 21:08
Hah, more along the lines of 'red tape'. Worries about SQL Server account vulnerabilities are the main reason we are trying to avoid them, I believe. But if forcing a form of Windows authentication is circumventing security in other ways (As most solutions seem to need), then the SQL authentication is probably the lesser of evils. Either way, this answer offers suggestions enough that I'll accept it.
– Dylan Bacon
Dec 30 '15 at 21:12
1
Probably best to have a windows account created for this task and then have the task scheduler run the job using those credentials. Then give that windows account just the permissions it needs to get the job done. It's a bit of a pain but probably fits in their security review models better than turning on SQL authentication if they are already against it.
– Jonathan Fite
Dec 30 '15 at 21:19
add a comment |
You could grant the account that is going to run the job the necessary permissions onto the SQL Server to run the query. That would be the easiest. If you are going to use Task Scheduler, it even gives a method for specifying the account to use.
The next best would be to use SQL Authentication.
Finally, you can use PowerShell to invoke a new thread to run under a different windows account, that thread then to use Invoke-sql. However, the password then needs to be stored somewhere somehow (usually encrypted in a file). This is not the best solution and not one that I would recommend using.
answered Dec 30 '15 at 21:02
Jonathan FiteJonathan Fite
4,088818
I should have specified that I'm in an enterprise environment where 'permissions' are a carefully guarded and taped thing, but I will agree that it would be the easiest solution if possible.
– Dylan Bacon
Dec 30 '15 at 21:05
Unfortunately, there isn't much wriggle room on this. The thread has to somehow get authenticated as the desired windows account and there are only a few ways to do that, and most don't store the password securely. Is there a reason they don't want to run the job from SQL Agent? You could setup proxy accounts fairly easily to limit permissions.
– Jonathan Fite
Dec 30 '15 at 21:08
Hah, more along the lines of 'red tape'. Worries about SQL Server account vulnerabilities are the main reason we are trying to avoid them, I believe. But if forcing a form of Windows authentication is circumventing security in other ways (As most solutions seem to need), then the SQL authentication is probably the lesser of evils. Either way, this answer offers suggestions enough that I'll accept it.
– Dylan Bacon
Dec 30 '15 at 21:12
1
Probably best to have a windows account created for this task and then have the task scheduler run the job using those credentials. Then give that windows account just the permissions it needs to get the job done. It's a bit of a pain but probably fits in their security review models better than turning on SQL authentication if they are already against it.
– Jonathan Fite
Dec 30 '15 at 21:19
add a comment |
You could grant the account that is going to run the job the necessary permissions onto the SQL Server to run the query. That would be the easiest. If you are going to use Task Scheduler, it even gives a method for specifying the account to use.
The next best would be to use SQL Authentication.
Finally, you can use PowerShell to invoke a new thread to run under a different windows account, that thread then to use Invoke-sql. However, the password then needs to be stored somewhere somehow (usually encrypted in a file). This is not the best solution and not one that I would recommend using.
answered Dec 30 '15 at 21:02
Jonathan FiteJonathan Fite
4,088818
You could grant the account that is going to run the job the necessary permissions onto the SQL Server to run the query. That would be the easiest. If you are going to use Task Scheduler, it even gives a method for specifying the account to use.
The next best would be to use SQL Authentication.
Finally, you can use PowerShell to invoke a new thread to run under a different windows account, that thread then to use Invoke-sql. However, the password then needs to be stored somewhere somehow (usually encrypted in a file). This is not the best solution and not one that I would recommend using.
answered Dec 30 '15 at 21:02
Jonathan FiteJonathan Fite
4,088818
answered Dec 30 '15 at 21:02
Jonathan FiteJonathan Fite
4,088818
answered Dec 30 '15 at 21:02
Jonathan FiteJonathan Fite
4,088818
answered Dec 30 '15 at 21:02
Jonathan FiteJonathan Fite
4,088818
4,088818
I should have specified that I'm in an enterprise environment where 'permissions' are a carefully guarded and taped thing, but I will agree that it would be the easiest solution if possible.
– Dylan Bacon
Dec 30 '15 at 21:05
Unfortunately, there isn't much wriggle room on this. The thread has to somehow get authenticated as the desired windows account and there are only a few ways to do that, and most don't store the password securely. Is there a reason they don't want to run the job from SQL Agent? You could setup proxy accounts fairly easily to limit permissions.
– Jonathan Fite
Dec 30 '15 at 21:08
Hah, more along the lines of 'red tape'. Worries about SQL Server account vulnerabilities are the main reason we are trying to avoid them, I believe. But if forcing a form of Windows authentication is circumventing security in other ways (As most solutions seem to need), then the SQL authentication is probably the lesser of evils. Either way, this answer offers suggestions enough that I'll accept it.
– Dylan Bacon
Dec 30 '15 at 21:12
1
Probably best to have a windows account created for this task and then have the task scheduler run the job using those credentials. Then give that windows account just the permissions it needs to get the job done. It's a bit of a pain but probably fits in their security review models better than turning on SQL authentication if they are already against it.
– Jonathan Fite
Dec 30 '15 at 21:19
add a comment |
I should have specified that I'm in an enterprise environment where 'permissions' are a carefully guarded and taped thing, but I will agree that it would be the easiest solution if possible.
– Dylan Bacon
Dec 30 '15 at 21:05
Unfortunately, there isn't much wriggle room on this. The thread has to somehow get authenticated as the desired windows account and there are only a few ways to do that, and most don't store the password securely. Is there a reason they don't want to run the job from SQL Agent? You could setup proxy accounts fairly easily to limit permissions.
– Jonathan Fite
Dec 30 '15 at 21:08
Hah, more along the lines of 'red tape'. Worries about SQL Server account vulnerabilities are the main reason we are trying to avoid them, I believe. But if forcing a form of Windows authentication is circumventing security in other ways (As most solutions seem to need), then the SQL authentication is probably the lesser of evils. Either way, this answer offers suggestions enough that I'll accept it.
– Dylan Bacon
Dec 30 '15 at 21:12
1
Probably best to have a windows account created for this task and then have the task scheduler run the job using those credentials. Then give that windows account just the permissions it needs to get the job done. It's a bit of a pain but probably fits in their security review models better than turning on SQL authentication if they are already against it.
– Jonathan Fite
Dec 30 '15 at 21:19
I should have specified that I'm in an enterprise environment where 'permissions' are a carefully guarded and taped thing, but I will agree that it would be the easiest solution if possible.
– Dylan Bacon
Dec 30 '15 at 21:05
I should have specified that I'm in an enterprise environment where 'permissions' are a carefully guarded and taped thing, but I will agree that it would be the easiest solution if possible.
– Dylan Bacon
Dec 30 '15 at 21:05
Unfortunately, there isn't much wriggle room on this. The thread has to somehow get authenticated as the desired windows account and there are only a few ways to do that, and most don't store the password securely. Is there a reason they don't want to run the job from SQL Agent? You could setup proxy accounts fairly easily to limit permissions.
– Jonathan Fite
Dec 30 '15 at 21:08
Unfortunately, there isn't much wriggle room on this. The thread has to somehow get authenticated as the desired windows account and there are only a few ways to do that, and most don't store the password securely. Is there a reason they don't want to run the job from SQL Agent? You could setup proxy accounts fairly easily to limit permissions.
– Jonathan Fite
Dec 30 '15 at 21:08
Hah, more along the lines of 'red tape'. Worries about SQL Server account vulnerabilities are the main reason we are trying to avoid them, I believe. But if forcing a form of Windows authentication is circumventing security in other ways (As most solutions seem to need), then the SQL authentication is probably the lesser of evils. Either way, this answer offers suggestions enough that I'll accept it.
– Dylan Bacon
Dec 30 '15 at 21:12
Hah, more along the lines of 'red tape'. Worries about SQL Server account vulnerabilities are the main reason we are trying to avoid them, I believe. But if forcing a form of Windows authentication is circumventing security in other ways (As most solutions seem to need), then the SQL authentication is probably the lesser of evils. Either way, this answer offers suggestions enough that I'll accept it.
– Dylan Bacon
Dec 30 '15 at 21:12
1
1
Probably best to have a windows account created for this task and then have the task scheduler run the job using those credentials. Then give that windows account just the permissions it needs to get the job done. It's a bit of a pain but probably fits in their security review models better than turning on SQL authentication if they are already against it.
– Jonathan Fite
Dec 30 '15 at 21:19
Probably best to have a windows account created for this task and then have the task scheduler run the job using those credentials. Then give that windows account just the permissions it needs to get the job done. It's a bit of a pain but probably fits in their security review models better than turning on SQL authentication if they are already against it.
– Jonathan Fite
Dec 30 '15 at 21:19
add a comment |
An alternative, I created a wrapper for Invoke-Sqlcmd for my libraries to use which makes use of Start-Job:
function Invoke-InternalSqlcmd {
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)][string] $Query,
[Parameter(Mandatory=$true)][string] $Database,
[Parameter(Mandatory=$false)][System.Management.Automation.PSCredential] $Credential
)
if (-not $Credential) {
return Invoke-SqlCmd -Query $Query -Database $Database
}
else {
$ScriptBlock = {
param($Query,$Database)
$ErrorActionPreference = 'Stop';
return @{ Result = Invoke-SqlCmd -Query $Query -Database $Database }
}
$Job = Start-Job -Credential $Credential -ScriptBlock $ScriptBlock -ArgumentList $Query,$Database
$JobResult = Wait-Job $Job;
if ($JobResult.State -eq 'Completed') {
return (Receive-Job $Job).Result
}
throw [Exception]::new("Error occurred while executing sql as $($Credential.UserName) $([System.Environment]::NewLine)$($JobResult.ChildJobs[0].JobStateInfo.Reason)", $JobResult.ChildJobs[0].JobStateInfo.Reason)
}
}
Pros
- Works!
- Does not use WinRM
- Returns the exact result that
Invoke-Sqlcmdreturns - Returns errors
Cons
- Running PS jobs has a nasty overhead. Anywhere between 2-10 seconds. This might not be a big deal but it depends on how long the code you are executing will run.
- Doesn't respect
ErrorActionPreferenceand will always throw on error. Can be fixed if needed.
I am running in a locked down environment that does not have access to WinRM, and my tasks are long running so this suits my needs. If you want better performance then you could easily replace the job code with Runspaces, as long as you are happy to use WinRM.
answered 5 mins ago
elexiselexis
1012
New contributor
elexis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
An alternative, I created a wrapper for Invoke-Sqlcmd for my libraries to use which makes use of Start-Job:
function Invoke-InternalSqlcmd {
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)][string] $Query,
[Parameter(Mandatory=$true)][string] $Database,
[Parameter(Mandatory=$false)][System.Management.Automation.PSCredential] $Credential
)
if (-not $Credential) {
return Invoke-SqlCmd -Query $Query -Database $Database
}
else {
$ScriptBlock = {
param($Query,$Database)
$ErrorActionPreference = 'Stop';
return @{ Result = Invoke-SqlCmd -Query $Query -Database $Database }
}
$Job = Start-Job -Credential $Credential -ScriptBlock $ScriptBlock -ArgumentList $Query,$Database
$JobResult = Wait-Job $Job;
if ($JobResult.State -eq 'Completed') {
return (Receive-Job $Job).Result
}
throw [Exception]::new("Error occurred while executing sql as $($Credential.UserName) $([System.Environment]::NewLine)$($JobResult.ChildJobs[0].JobStateInfo.Reason)", $JobResult.ChildJobs[0].JobStateInfo.Reason)
}
}
Pros
- Works!
- Does not use WinRM
- Returns the exact result that
Invoke-Sqlcmdreturns - Returns errors
Cons
- Running PS jobs has a nasty overhead. Anywhere between 2-10 seconds. This might not be a big deal but it depends on how long the code you are executing will run.
- Doesn't respect
ErrorActionPreferenceand will always throw on error. Can be fixed if needed.
I am running in a locked down environment that does not have access to WinRM, and my tasks are long running so this suits my needs. If you want better performance then you could easily replace the job code with Runspaces, as long as you are happy to use WinRM.
answered 5 mins ago
elexiselexis
1012
New contributor
elexis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
An alternative, I created a wrapper for Invoke-Sqlcmd for my libraries to use which makes use of Start-Job:
function Invoke-InternalSqlcmd {
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)][string] $Query,
[Parameter(Mandatory=$true)][string] $Database,
[Parameter(Mandatory=$false)][System.Management.Automation.PSCredential] $Credential
)
if (-not $Credential) {
return Invoke-SqlCmd -Query $Query -Database $Database
}
else {
$ScriptBlock = {
param($Query,$Database)
$ErrorActionPreference = 'Stop';
return @{ Result = Invoke-SqlCmd -Query $Query -Database $Database }
}
$Job = Start-Job -Credential $Credential -ScriptBlock $ScriptBlock -ArgumentList $Query,$Database
$JobResult = Wait-Job $Job;
if ($JobResult.State -eq 'Completed') {
return (Receive-Job $Job).Result
}
throw [Exception]::new("Error occurred while executing sql as $($Credential.UserName) $([System.Environment]::NewLine)$($JobResult.ChildJobs[0].JobStateInfo.Reason)", $JobResult.ChildJobs[0].JobStateInfo.Reason)
}
}
Pros
- Works!
- Does not use WinRM
- Returns the exact result that
Invoke-Sqlcmdreturns - Returns errors
Cons
- Running PS jobs has a nasty overhead. Anywhere between 2-10 seconds. This might not be a big deal but it depends on how long the code you are executing will run.
- Doesn't respect
ErrorActionPreferenceand will always throw on error. Can be fixed if needed.
I am running in a locked down environment that does not have access to WinRM, and my tasks are long running so this suits my needs. If you want better performance then you could easily replace the job code with Runspaces, as long as you are happy to use WinRM.
answered 5 mins ago
elexiselexis
1012
New contributor
elexis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
An alternative, I created a wrapper for Invoke-Sqlcmd for my libraries to use which makes use of Start-Job:
function Invoke-InternalSqlcmd {
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)][string] $Query,
[Parameter(Mandatory=$true)][string] $Database,
[Parameter(Mandatory=$false)][System.Management.Automation.PSCredential] $Credential
)
if (-not $Credential) {
return Invoke-SqlCmd -Query $Query -Database $Database
}
else {
$ScriptBlock = {
param($Query,$Database)
$ErrorActionPreference = 'Stop';
return @{ Result = Invoke-SqlCmd -Query $Query -Database $Database }
}
$Job = Start-Job -Credential $Credential -ScriptBlock $ScriptBlock -ArgumentList $Query,$Database
$JobResult = Wait-Job $Job;
if ($JobResult.State -eq 'Completed') {
return (Receive-Job $Job).Result
}
throw [Exception]::new("Error occurred while executing sql as $($Credential.UserName) $([System.Environment]::NewLine)$($JobResult.ChildJobs[0].JobStateInfo.Reason)", $JobResult.ChildJobs[0].JobStateInfo.Reason)
}
}
Pros
- Works!
- Does not use WinRM
- Returns the exact result that
Invoke-Sqlcmdreturns - Returns errors
Cons
- Running PS jobs has a nasty overhead. Anywhere between 2-10 seconds. This might not be a big deal but it depends on how long the code you are executing will run.
- Doesn't respect
ErrorActionPreferenceand will always throw on error. Can be fixed if needed.
I am running in a locked down environment that does not have access to WinRM, and my tasks are long running so this suits my needs. If you want better performance then you could easily replace the job code with Runspaces, as long as you are happy to use WinRM.
answered 5 mins ago
elexiselexis
1012
New contributor
elexis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 5 mins ago
elexiselexis
1012
New contributor
elexis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 5 mins ago
elexiselexis
1012
answered 5 mins ago
elexiselexis
1012
1012
New contributor
elexis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
elexis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
elexis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Thanks for contributing an answer to Database Administrators Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f124891%2fusing-a-different-windows-account-for-invoke-sqlcmd%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Check this answer for one possible way to use Impersonation to log onto a remote server.
– Max Vernon
Dec 30 '15 at 21:07
I use that method all the time to connect my SSMS on my local machine to my client's SQL Server. Great for "authenticating". Still relies on keeping a password in an encrypted file/store or in plain text somewhere if you want to use it in an automated fashion.
– Jonathan Fite
Dec 30 '15 at 21:12
I'll investigate that as well as a possible solution. Thank you.
– Dylan Bacon
Dec 30 '15 at 21:14
@DylanBacon, I wouldn't go down that route, if you are going to launch a new thread with a different domain credential you can already do that without using the NETONLY methods, it just adds complexity. I find it useful when I'm crossing domains that don't trust each other (as from my company laptop to a customer's SQL Server).
– Jonathan Fite
Dec 30 '15 at 21:17
1
FYI, this is the command. runas /user:DOMAINAccount /netonly "C:Program Files (x86)Microsoft SQL Server110ToolsBinnManagementStudiossms.exe" it then prompts for the password for the account you specified.
– Jonathan Fite
Dec 30 '15 at 21:21