We are creating SSIS packages for our data feeds. Our connection manager has our individual usernames and passwords. Is there a way we can create environmental variables?
Also when we deploy our packages to dev or test or prod environments, do we need service accounts?
Yes, you can protect credentials.
Create Parameter variable and then select sensitive. This will block out the credential with astericks '*'
Set both the project and package Protection Level as either EncryptSensitiveWithPassord, or EncryptSensitiveWithUserKey. Note: failure to set both will result in a compiler failure that says the consistency check of the Protection Level failed - this is required.
Deploy the package to the server. Note: if the package is encrypted then anyone else who tries to open the package will be unable to do so. This is an important point for deployment purposes. It's not a big deal if you are handing off the *.ispac file, but if your company deploys via the DBA opening the solution and deploying from there then they will be unable to do so. I think you can do this if you EncryptWithPassword and then share the password, but EncryptWithUserKey will not work.
Set the Environment variable value on the server and then mark it as sensitive as well.
I don't recommend storing user credentials in protected parameters, but SSIS has been designed with this in mind if necessary. I much prefer doing everything through Windows Authentication and I highly recommend you to do the same if that is available to you.
Regarding service accounts. Yes, you can use those. In fact, it is highly recommended that all production deployments use service accounts where the concept of least privilege is implemented. So, the service account should only be granted the bare minimum level of privileges necessary. Said differently: DO NOT GRANT THE SERVICE ACCOUNT ADMINISTRATOR PRIVILEGES. This means specifying each individual privilege on each object. For example, SELECT only on dimension tables and SELECT/INSERT/UPDATE/DELETE on fact tables.
The best way for determining what privileges to grant is to go through the package and identify all tables that are touched as well as the command that is used when touching them. So, you will need to look at the following: Execute SQL task, OLE DB Source, OLE DB Destination, OLE DB Command, Lookup, etc.
Let me begin by saying, I am aware of this thread and others around the web that seek to trouble shoot this issue.
The solutions posted there do not apply to my issue. I have spent 5 hours trying to resolve this before deciding to ask the question.
The problem:
When I attempt to log into SSMS (or connect from a java application) using SQL Authentication I get this error:
A connection was successfully established with the server, but then an
error occurred during the login process. (provider: Shared Memory
Provider, error: 0 - No process is on the other end of the pipe.)
(Microsoft SQL Server, Error: 233)
Although it does work, it is not an option for me to use integreated authentication.
The database I am attempting to connect to is on the same machine as my SSMS instance. There is no network, this is a stand-alone system.
NAMED PIPES is ENABLED in my configuration, I HAVE rebooted since, TCP IP is a higher priority than named pipes in my configuration.
I have even gone as far as to uninstall SQL Server and reinstall it, to no avail.
The details of my SQL Server instance are as follows:
Microsoft SQL Server Management Studio - 10.0.2531.0
Microsoft Analysis Services Client Tools - 10.0.1600.22
Microsoft Data Access Components (MDAC) - 6.1.7601.17514
Microsoft MSXML - 3.0 5.0 6.0
Microsoft Internet Explorer - 9.0.8112.16421
Microsoft .NET Framework - 2.0.50727.5466
Operating System - 6.1.7601
Configuration details are as follows:
http://i45.tinypic.com/vxdz7c.png
http://i45.tinypic.com/vxdz7c.jpg
I connect from java using this code.
Class.forName("com.microsoft.sqlserver.jdbc.SQLServerDriver");
String connectionUrl = "jdbc:sqlserver://localhost;database=AdventureWorks;integratedSecurity=false;User=JIMBO; Password=JIMBO;";
Connection con = DriverManager.getConnection(connectionUrl);
But please remember, this error also occurs when I atttempt to log in to SSMS directly.
Thanks in advance.
-Jim
To force TCP/IP being used replace localhost with 127.0.0.1 in your connection string.
As you are using a username and password make sure SQL authentication is enabled. By default only Windows integrated is enabled on sqlserver 2008.
With SqlServer authentication keep in mind that a password policy is in place to enforce security.
Forcing the TCP/IP connection (by providing 127.0.0.1 instead of localhost or .) can reveal the real reason for the error. In my case, the database name specified in connection string was incorrect.
So, here is the checklist so far:
Make sure Named Pipe is enabled in configuration manager (don't forget to restart the server).
Make sure SQL Server Authentication (or Mixed Mode) is enabled.
Make sure your user name and password are correct.
Make sure the database you are connecting to exists.
My resolution was to login using the Windows Login then go to security>Logins locate the troubled ID And retype the used password. The restart the services...
Adding "user instance=False" to connection string solved the problem for me.
<connectionStrings>
<add name="NorthwindEntities" connectionString="metadata=res://*/Models.Northwind.csdl|res://*/Models.Northwind.ssdl|res://*/Models.Northwind.msl;provider=System.Data.SqlClient;provider connection string="data source=.\SQLEXPRESS2008R2;attachdbfilename=|DataDirectory|\Northwind.mdf;integrated security=True;user instance=False;multipleactiveresultsets=True;App=EntityFramework"" providerName="System.Data.EntityClient" />
</connectionStrings>
This problem was caused for me by this error which appeared just prior in the application error log.
"A read operation on a large object failed while sending data to the client. A common cause for this is if the application is running in READ UNCOMMITTED isolation level. This connection will be terminated."
I was storing PDFs in a SQL table and when attempting to SELECT from that table it spit out that error, which resulted in the error mentioned in your question.
The solution was to delete the columns that had large amounts of text, in my case Base64 encoded files.
perhaps this comes too late, but still it could be nice to "document it" for others out there.
I received the same error after experimenting and testing with Remote Desktop Services on a MS Server 2012 with MS SQL Server 2012.
During the Remote Desktop Services install one is asked to create a (local) certificate, and so I did. After finishing the test/experiments I removed the Remote Desktop Services. That's when this error appeared (I cannot say whether the error occured during the test with RDS, I don't remember if I used/tried the SQL Connection during the RDS test).
I am not sure how to solve this since the default certificate does not work for me, but the "RDS" certificate does.
BTW, the certificates are found in App: "SQL Server Configuration Manager" -> "SQL Server Network Configuration" -> Right click: "Protocols for " -> Select "Properties" -> Tab "Certificate"
My default SQL Certificate is named: ConfigMgr SQL Server Identification Certificate, has expiration date: 2114-06-09.
Hope this can give a hint to others.
/Kim
For me it was because only Windows Authentication was enabled. To change security authentication mode. In SQL Server Management Studio Object Explorer, right-click the server, and then click Properties. On the Security page, under Server authentication, select the new server authentication mode, and then click OK.
Change Server Authentication Mode - MSDN - Microsoft
https://msdn.microsoft.com/en-AU/library/ms188670.aspx
This Might help as reference
I had the same issue, after multiple trial of suggested solution on this site and others, I found a solution for my scenario. The account was locked out
How to Check if the account is Locked out...
Login to the server using higher privileged account (like SA or admin rights)
Expand security ==> select the login name ==>open the property window of the login ==> select the status page on the property window
Make sure This 3 Things
1, permission to connect database is GRANTED
2, Login is ENABLED
3, Status
SQL server authentication
Login is not locked out (Uncheck the box)
Thanks
Tsige
I just executed connection.close() by adding it as first statement and it was solved. Then i removed the line.
One follow up to this. I had installed SQL Server 2014 with only Windows Authentication. After enabling Mixed Mode, I couldn't log in with a SQL user and got the same error message as the original poster. I verified that named pipes were enabled but still couldn't log in after several restarts. Using 127.0.0.1 instead of the hostname allowed me to log in, but interestingly, required a password reset prompt on first login:
Once I reset the password the account worked. What's odd, is I specifically disabled password policy and expiration.
Another cause is if the user's default database is unavailable.
I had an account that was used for backing up two databases. When the backup user's default database was taken off-line, the "no process on the other end of the pipe" error started.
Came here looking for a solution to a similar issue, which I just introduced by changing Schannel settings of our IIS server using "IIS Crypto" by Nartac... By disabling the SHA-1 hash, the local SQL Server was not able to be reached anymore, even though I didn't use an encrypted connection (not useful for an ASP.Net site accessing a local SQL Express instance using shared memory).
Thanks Count Zero for pointing me in the right direction :-)
So, lesson learned: do not disable SHA-1 on your IIS server if you have a local SQL Server instance.
For me the issue seems to have been caused by power failure. Restarting the server computer solved it.
I am installing TFS2010. There is a separate Application Tier server and Database Tier server. I am using an already existing database, called Tfs_Configuration. When entering the database name/instance name I am able to test it and obtain the green check-mark so TFS can find the database. The version of SQL server I am connecting to is - SQL Server 2008 SP3. But when I run the readiness tests I get the following messages-
First are those two warning causing the error?
Also, I have db_owner rights to the existing database (Tfs_Configuration) that I am connecting to. What other rights do I need? And what can I do to resolve these issues?
The first error suggests you need the sysadmin role which is in fact a SQL Server role which can be enabled by doing the following:http://blog.sqlauthority.com/2008/12/27/sql-server-add-any-user-to-sysadmin-role-add-users-to-system-roles/
Hope that moves you past at least one error.
You need to be Sysadmin of the SQL instance or a role that is able to create new databases, because the installer wants to create an additional database for the DefaultCollection (and the TFS_Warehouse, TFS_Analysis). Therefore it is not enough to be the owner of TFS_Configuration.
I'm trying to get my Classic ASP application (works great on Server 2003/IIS 6) working on IIS 7.
I've done a zillion things recommended and finally got it actually pulling up the ASP front page that reads from a database.
But when I try to write to the database, I get errors. "Microsoft JET Database Engine error '80004005' Operation must use an updateable query."
Note: In the application pool for this classic ASP site I created an identity of "app_pool_casemodo" and then gave [website folders], [database folder], windows\temp, inetpub\temp, and windows\serviceprofiles\networkservice\AppData\Local\Temp all modify permissions for that user.
I installed Microsoft's Process Monitor and it is telling me there is an issue with a user account "app_pool_casemodo" having sufficient read/write permissions in relation with this registry key: HKLM\SOFTWARE\Wow6432Node\Microsoft\Jet\4.0\Engines. So I used regedit and browsed to that key and made sure that account had plenty of permissions.
Tried using DSN and tried using just file pointing ODBC string and both exhibit read but no write issue.
Image of process monitor screen attached.
Please help. I've been banging my head for many days on this stuff. Feeling like I'm super close to a solution.
The user IUSR_< MACHINENAME > has permission over the access file?
I am working on an application which bulk-loads data into a SQL Server 2008 database. It writes a CSV file to a network share then calls a stored procedure which contains a BULK INSERT command.
I'm migrating the application to what amounts to a completely new network. In this new world bulk insertion fails with this error:
Msg 4861, Level 16, State 1, Line 1
Cannot bulk load because the file "\\myserver\share\subfolder\filename" could not be opened. Operating system error code 5(failed to retrieve text for this error. Reason: 15105).
I connect to the database using Windows Authentication, using the same account which wrote the file. The file, and the folder in which it resides, grant read and modify rights both to my user account and the database server's domain service account. That service account apparently has constrained delegation permitted, which is mentioned on MSDN. Still no good. If I connect using a SQL Server account then bulk insertion succeeds, but we are trying to stick exclusively to Windows Authentication.
Does anybody have a handle on what needs to be done to make this work? How exactly does SQL Server go about accessing data on network shares, hopping between its service account and that of the connected user? I know that I can bulk insert in a similar situation in our current infrastructure, but it is so crufty with age that it would be hard to track down what has been done to enable this in the past.
Recently we had this issue for a number of our Devs. I've come up with a number of ways to allow testing of bulk inserts.
Our preference was to use a SQL service account. We set the SQL server and SQL agent to run as a service account and then allowed the devs to trigger agent jobs. The service account was granted permission to the UNC shares and this all functioned correctly. Note that the service account will always been fine running these agent jobs (assuming UNC permissions are set). It's the Devs trying to test that will come across these issues.
Another method is to create a share on the SQL server itself and point the bulk insert path at the local directory. These errors seem to only occur when accessing UNC paths. Regardless of whether the UNC path has the correct permissions to allow you access. For example we create C:\test\ as a folder on the SQL server itself and permission it to allow a dev to drop test files there. These are then called via the bulk insert command.
A command may need to be run against master to allow a SQL login group permission to bulk insert. This is as below.
GRANT ADMINISTER BULK OPERATIONS TO "domain\usergroup"
Adam Saxton's blog (about Kerberos and bulk inserts from a share) should be read: http://blogs.msdn.com/b/psssql/archive/2012/09/07/bulk-insert-and-kerberos.aspx. Adam offers two approaches:
Enable constrained delegation for the machine (as opposed to the sqlservr.exe startup) account, or use a SQL Server login. Adam mentions two other approaches (which he does not recommend).
An aside, the latter half of the OP's message "(failed to retrieve text for this error. Reason: 15105)" may be related to a SQL Server startup account lacking rights documented within SQL Server's "Configure Windows Service Accounts and Permissions" topic, such as SeAssignPrimaryTokenPrivilege.
Did you ever resolve this issue? I recently had a similar problem and discovered that the best way to resolve it was to use a SQL login.
Initially, having read the notes here I thought if I just granted read permissions to the Windows account with which I was connecting to the SQL Server that would be okay, but even when I granted read access to Everyone, I still couldn't read in the file.
I believe the reason is something to do with SQL Server impersonating the windows user and attempting to access the UNC share, which is delegation and which is not allowed unless explicitly enabled. There are some notes here which may help. This is the constrained delegation of which you speak and I couldn't get it to work either!
Bottom Line: I just used a SQL Login and made sure the SQL Server Process account had read permissions on the share (by granting read to Everyone in my case) and it worked.
In order to bulk insert with AD users, the SQL service it self has to be running as a domain user and has to have the AD permission to be able to delegate authentication. Same if you wanted to run linked servers with ad users. Here is the link for AD and linked servers, but the permission are the same.
Linked Servers and Active Directory
The server must have an SPN registered by the domain administrator.
The account under which SQL Server is running must be trusted for delegation.
The server must be using TCP/IP or named pipes network connectivity.