We are using SSIS 2012 Project model and have project connection (manager) for all our packages, we create environment for dev, test and prod and created a variable "Connectionstring" inside each of them, the connection string is SQL Server authentication, so we have set the variable as sensitive to keep password hidden and then we configured the project connection manager to use the environment variable for the connection string. When we run the package we get the below error
"Unable to map an environment variable with the sensitive property set to True, to a parameter with the sensitive property set to False. Ensure that the property settings match"
I was unable to find a location where we can set the sensitive property for project connection manager, FYI when I uncheck the sensitive in the environment variable ,the packages run fine.
Am I missing something? I don't see a place where we can set the expression for project connection manger either, if that was the case at least I could have used the project parameters and set it to sensitive and configure the environment variable to load into the parameter and in turn use parameter in the expression for project connection string.
Use one environment variable for the connection string without the password, and create another environment variable for just the password and set it to Sensitive. Then map the password variable directly to the Password property in Connection Managers while configuring the project in SSMS (this doesn't require creating additional parameters).
The Password property is sensitive by design while the Connection String is not.
i was trying to parameterize the project connection but couldn't find it,but was able to figure it our later,posting answer so that some one else can find it like me, please "right click on project connection inside a package not directly under project connection managers and then click parameterize
So are you mapping the connection string to a project parameter? ( you would want to do this to take advantage on the configuration manger to change these parameters on the fly when you change the drop down for environment- Then set the project parameter variable to be sensitive and you should be good to go
Related
I'm configuring an SSIS solution in Visual Studio 2017 that sends data to an externally hosted SQL Server database and need to set the value in Connection Manager for that Destination Connection to Trust Server certificate = False. I also want to test the SSIS package against an internally hosted database but use Trust Server certificate = True for that Connection.
I have individually parameterized the database, user and password components of the connection string using the built-in options when you right click on the connection in Visual Studio and click parameterize, but there is no option in the drop down for Trust Server Certificate. Can I parameterise just that property without having to parameterize the whole connection string, so I can link it to an environment variable when executing the package from the Integration Services Catalog on the SQL Server?
I would suggest that you parameterize the whole connection string in pieces into parameters/variables and piece it together in a final variable and use an expression on the connection string to use the final variable.
I am using SQL authentication for a SSIS connection manager for one domain to another. In Visual Studio the connection is working when tested but password does not save. Running the package in VS is working but when creating a SQL job with the package, it fails to run with error
"Description: Failed to decrypt protected XML node "DTS:Password" with error 0x8009000B "Key not valid for use in specified state.
Please help. Thank you.
The wrong way to do this is to put your connection string with the user name and password in the Expressions property's Connection String expression. Then change the ProtectionLevel to Dont [sic] Save Sensitive.
While this works, it leaves your password as plain text in the dtsx file.
I believe one correct way to do this is to set the password for the connection string in the SQL Server Agent's New Job step window on the Data Sources tab.
Another way is to change the Protection level to Save with Password and then enter the password in the Job step's Configuration tab. Unfortunately, I don't use SSIS much anymore and haven't tested either of these methods.
https://learn.microsoft.com/en-us/sql/ssms/agent/job-step-properties-new-job-step-general-page?view=sql-server-2017
MS Forum
I deployed a package which stores db names and user roles of diffent servers. image
I set up the my source connection manager with specific username and pwd. But when i start the package then my connection manager always uses the windows authentication.
I get the username and pwd from table and store them in the variables. Here is my dynamic connection manager properties window: image
I want to connect my servers with each username and pwd of them. Thanks for helps.
You cant tell from the image but I believe you have Integrated Security=SSPI in your expression. If you look at the connection string property you can see it on the end. If you remove that it should use SQL login instead of Win Auth.
I have an SSIS package that has run for months daily with no problem. Suddenly it is failing every day with the error above. No changes to the package or the stored procs it runs have been pushed, to my knowledge, no changes to the database environment have been made including permissions for the service account that owns the job.
This is a SQL Server 2008 package that connects to a SQL server 2008 R2 database. The configuration is through the ssisconfig table and it defines which server to use through an environment variable.
The component in question is using a stored proc. In the proc, all fields are explicitly cast to the same data type of the table the data is being staged too. The proc runs fine by itself. It is a relatively complex proc that has two table variables and a CTE.
I can't run it from my local on prod and dev is not failing. If I open the prod SSIS package while I am set to the environment variable that the job owner uses, I do not get a validation error on this component. ValidateExternalMetadata is set to true for this component. For the entire package though, Delay Validation is set to True. I do get a validation error that would be expected on a task using a variable that is set dynamically in an earlier task. This error, however, is many, many steps later than the step it is currently failing on.
Usually in the past when we have had this sort of unspecific error, I have been easily able to see the problem with the data that caused the sudden failure. But none of the data in the proc result set is even close to being incorrect for the datatypes defined for staging table for that field. None of the required fields are missing data either.
I am out of ideas for what else to look at. If the environment didn't change, the actual code didn't change and the data looks correct, what is left to try?
As I have commented for details error, you can try below link from Microsoft:
Debug SSIS Package while calling from Agent
Some info from link:
Reasons that the package may have failed are as follows:
The user account that is used to run the package under SQL Server Agent differs from the original package author.
The user account does not have the required permissions to make connections or to access resources outside the SSIS package.
The package may not run in the following scenarios:
The current user cannot decrypt secrets from the package. This scenario can occur if the current account or the execution account
differs from the original package author, and the package's
ProtectionLevel property setting does not let the current user
decrypt secrets in the package.
A SQL Server connection that uses integrated security fails because the current user does not have the required permissions.
File access fails because the current user does not have the required permissions to write to the file share that the connection
manager accesses. For example, this scenario can occur with text
log providers that do not use a login and a password. This scenario
can also occur with any task that depends on the file connection
manager, such as a SSIS file system task.
A registry-based SSIS package configuration uses the HKEY_CURRENT_USER registry keys. The HKEY_CURRENT_USER registry keys
are user-specific.
A task or a connection manager requires that the current user account has correct permissions.
Method 1: Use a SQL Server Agent proxy account Create a SQL Server Agent proxy account. This proxy account must use a credential that
lets SQL Server Agent run the job as the account that created the
package or as an account that has the required permissions.
This method works to decrypt secrets and satisfies the key
requirements by user. However, this method may have limited success
because the SSIS package user keys involve the current user and the
current computer. Therefore, if you move the package to another
computer, this method may still fail, even if the job step uses the
correct proxy account.
Method 2: Set the SSIS Package ProtectionLevel property to ServerStorage Change the SSIS Package ProtectionLevel property to
ServerStorage. This setting stores the package in a SQL Server
database and allows for access control through SQL Server database
roles.
Method 3: Set the SSIS Package ProtectionLevel property to EncryptSensitiveWithPassword Change the SSIS Package ProtectionLevel
property to EncryptSensitiveWithPassword. This setting uses a password
for encryption. You can then modify the SQL Server Agent job step
command line to include this password.
Method 4: Use SSIS Package configuration files Use SSIS Package configuration files to store sensitive information, and then store
these configuration files in a secured folder. You can then change the
ProtectionLevel property to DontSaveSensitive so that the package is
not encrypted and does not try to save secrets to the package. When
you run the SSIS package, the required information is loaded from the
configuration file. Make sure that the configuration files are
adequately protected if they contain sensitive information.
Method 5: Create a package template For a long-term resolution, create a package template that uses a protection level that differs
from the default setting. This problem will not occur in future
packages.
Above link will help you through logging and other possible scenarios of failure of your package from SQL Agent. I suspect that your user of Agent has been corrupted. But that is an assumption. You first enable the logging of SSIS by following link :
Enable SSIS Package Logging
Some info from link
To set the logging level for a package by using the Execute Package
dialog box
In SQL Server Management Studio, navigate to the package in Object Explorer.
Right-click the package and select Execute.
Select the Advanced tab in the Execute Package dialog box.
Under Logging level, select the logging level. See the table below for a description of available values.
Complete any other package configurations, then click OK to run the package.
Hope this will help you in the first place. If not please let me know.
I have many packages that are using the package configuration with the following way:
-ALL Packages have the XML configuration file that has only one proporty defined. The ConnectionString of the SQL Server connection that holds the configuration table for the rest of the properties
-A SEPARATE SQL Server package configuration for each connection manager in the package.
-Finally i have an SQL Server configuration for all the properties that are specific to this package.
I attach a pic of what i mean:
Yellow is the XML config with the connectionstring, Blue the connectionamangers and purple the package specific.
So with this setup i can:
Change the xml file location and just point all the setup in another sql server or another database.
Or create different configuration filters in the same config table and try to go into the package and change the filter.
With all the above the problem is that if i do anything from within VS, i am loosing the password in the connectionstring because i am not using the encrypt property. And i dont want to use it...
What are my options? Just go in .dtsx with notepad and chage what i want BEFORE i open the package or before i deploy?
-I dont want to use EncryptSensitiveWithPassword, so:
When i go to package configuration and try to change the ConfoigurationFilter to point to another setting then i am getting to the screen to select the property (connectionstring) and when i finish the DATABASE record for the setting is cleared from the Password= that i have put previously.
So i short what i want:
-No EncryptSensitiveWithPassword in my packages.
-Being able to change configuration from within VS WITHOUT resetting the connectionstring string.
The recommended way for setting this up would be to store the file location of the dtsconfig file in an environment variable. Then change the dtsconfig to use the environment variable rather than a hardcoded location.
So the nuances of that scenario are this:
The password gets blanked out when you resave the xml file (as you pointed out in your question). This is what it is, and it is one of the reasons I never use them.
A process (devenv.exe) will cache the values of the environment variables on start up. This means you need to restart visual studio if you make a change to the value of the environment variable.
The same issue above applies to the integration services service. This will need to be restarted after you add environment variables. Or when you run your packages, the values will not be found.
The idea is that your dev machine points to a dev instance. Then as you migrate the packages to new environments - QA, Prod, each server has it's own environment variable pointing to its respective dtsconfig file.
As a side note, a similar pattern which avoids the password obliteration would be to add a sql connection manager which points to the server which will load the rest of the configurations. Then set the connection string of this connection manager with an environment variable. The advantage is that you don't have to go copying config files around. This works best with integrated security so you are not storing credentials in an environment config. If you want to be more cryptic about it, you could use a registry entry.