SSIS:将文件写入网络共享包-调用程序包(RDP与远程)
[英]SSIS: package write file to network share - Call Package (RDP vs Remote)
问题描述
I have an SSIS package that writes a .TXT data file to a folder. 
我有一个SSIS包,可将.TXT数据文件写入文件夹。 I tested this on my local machine: the SSIS packages successfully writes (to my C Drive-- C:\\myPath). 我在本地计算机上对此进行了测试:SSIS包已成功写入(到我的C盘-C:\\ myPath)。
Then deployed to the server: the package fails to write (to network fileshare-- \\myDomain\\Folder1\\Folder2). 然后部署到服务器:程序包无法写入(到网络文件共享-\\ myDomain \\ Folder1 \\ Folder2)。
My user account has access to the folder. 我的用户帐户有权访问该文件夹。 From the server, I have tried executing the package two different ways: 从服务器,我尝试了两种不同的方式执行程序包:
1) Remote connection from my computer with my user credentials, via SSMS (package fails to write the file). 1)通过SSMS使用我的用户凭据从我的计算机进行远程连接(程序包无法写入文件)。 Remote session execution on my PC is not working.
2) RDP with Remote Desktop Connection to MYSERVER with my user credentials, via SSMS (package writes the file sucessfully). 2)具有通过我的用户凭据通过SSMS与MYSERVER进行远程桌面连接的RDP(程序包成功写入了文件)。 I am able to run it from the RDP session on MYSERVER and the file was written succesfully.
In summary: The package works, but it doesn't work. 总结:该程序包有效,但无效。 One of our network administrators added MYSERVER to have access to the folder-- which could be the reason why I can execute it from RDP session. 我们的一位网络管理员添加了MYSERVER来访问该文件夹-这可能是我可以从RDP会话执行它的原因。
The exact error message is "Cannot open the data file": 确切的错误消息是“无法打开数据文件”:
My question: 我的问题:
A) Does anyone know why the package fails when I execute it with the same user account in two different ways (Local Connection vs. Server RDP)? A)有谁知道为什么当我使用相同的用户帐户以两种不同方式(本地连接与服务器RDP)执行该程序包时该程序包失败?
B) Does anyone have a recommendation on how I grant access for user to call the package themselves? B)是否有人对我如何授予用户自己调用程序包的访问权限有建议? The package has two input parameters (with default values) for the user to enter. 程序包有两个输入参数(具有默认值)供用户输入。
_ _
Message from my network administrator: 来自我的网络管理员的消息:
Your id is in the proper group to access the share and I even see numerous updates to the folder from your ID and yet I also find this.
Log Name: Microsoft-Windows-SMBServer/Security
Source: Microsoft-Windows-SMBServer
Date: 6/12/2018 9:01:21 AM
Event ID: 1006
Task Category: (1006)
Level: Error
Keywords: Audit Failure,(8)
User: SYSTEM
Computer: mySERVER.myDOMAIN
Description:
The share denied access to the client.
Client Name: \\10.26.151.96
Client Address: 10.26.151.96:57626
User Name: myDOMAIN\myUser
Session ID: 0x16C029C000581
Share Name: \\*\DIXFDev
Share Path: \??\D:\Shares\DIXFDev
Status: {Access Denied}
A process has requested access to an object, but has not been granted those access rights. (0xC0000022)
Mapped Access: 0x80080
Granted Access: 0x0
Security Descriptor: 0x0100048058000000680000000000000014000000020044000200000000031800FF011F000102000000000005200000002002000000002400BF011300010500000000000515000000007B755294545B7AB2192C25066D000001020000000000052000000020020000010500000000000515000000007B755294545B7AB2192C2500020000
Guidance:
You should expect access denied errors when a principal accesses a share without the necessary permissions. Usually, this indicates that the principal does not have direct security permissions or lacks membership in a group that has direct access permissions. To determine and correct the permissions on the specified share, an administrator can use the Security tab in File Explorer Properties dialog, the SMBSHARE Windows PowerShell module, or the NET SHARE command. You can also use the Effective Access tab in File Explorer to help diagnose the issue.
Applications may generate access denied errors if they attempt to open files in a writable mode first, and then reopen the files in a read-only mode. In this case, no user action is required.
If access to the share is denied and this event is not logged, you can examine the file and folder NTFS/REFS permissions.
This error does not indicate a problem with authentication, only authorization.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-SMBServer" Guid="{D48CE617-33A2-4BC3-A5C7-11AA4F29619E}" />
<EventID>1006</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>1006</Task>
<Opcode>0</Opcode>
<Keywords>0x810000000000008</Keywords>
<TimeCreated SystemTime="2018-06-12T14:01:21.342045500Z" />
<EventRecordID>357496420</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="2680" />
<Channel>Microsoft-Windows-SMBServer/Security</Channel>
<Computer>mySERVER.myDOMAIN</Computer>
<Security UserID="S-1-5-18" />
</System>
<UserData>
<EventData xmlns="Smb2Namespace">
<ShareNameLength>11</ShareNameLength>
<ShareName>\\*\DIXFDev</ShareName>
<SharePathLength>21</SharePathLength>
<SharePath>\??\D:\Shares\DIXFDev</SharePath>
<ClientAddressLength>128</ClientAddressLength>
<ClientAddress>0200E11A0A1A976000000000000000000000FFFF0A1A97600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</ClientAddress>
<UserNameLength>14</UserNameLength>
<UserName>myDOMAIN\bl0040</UserName>
<ClientNameLength>14</ClientNameLength>
<ClientName>\\10.26.151.96</ClientName>
<MappedAccess>0x80080</MappedAccess>
<GrantedAccess>0x0</GrantedAccess>
<ShareSecurityDescriptorLength>132</ShareSecurityDescriptorLength>
<ShareSecurityDescriptor>0100048058000000680000000000000014000000020044000200000000031800FF011F000102000000000005200000002002000000002400BF011300010500000000000515000000007B755294545B7AB2192C25066D000001020000000000052000000020020000010500000000000515000000007B755294545B7AB2192C2500020000</ShareSecurityDescriptor>
<Status>0xc0000022</Status>
<TranslatedStatus>0xc0000022</TranslatedStatus>
<SessionID>0x16c029c000581</SessionID>
</EventData>
</UserData>
</Event>
Script created from SSMS RDP session with paramter values: 从SSMS RDP会话创建的具有参数值的脚本:
DECLARE
@execution_id bigint EXEC [SSISDB].[catalog].[create_execution] @package_name=N'FYE AP AuditFile_rep238.dtsx', @execution_id=@execution_id OUTPUT, @folder_name=N'IsolatedPackages', @project_name=N'FYE AP AuditFile_rep238', @use32bitruntime=False, @reference_id=56
SELECT
@execution_id DECLARE @var0 sql_variant = N'\\MYSERVER\folder1\folder2\SSISPackages\FYEAPAuditFile\audit-file-ap_ax-export_REP238_piped.txt' EXEC [SSISDB].[catalog].[set_execution_parameter_value] @execution_id,
@object_type = 30 ,
@parameter_name =N'paramFilePath' ,
@parameter_value =@var0 DECLARE @var1 sql_variant = N'2017' EXEC [SSISDB].[catalog].[set_execution_parameter_value] @execution_id ,
@object_type = 30 ,
@parameter_name =N'paramYear' ,
@parameter_value =@var1 DECLARE @var2 SMALLINT = 1 EXEC [SSISDB].[catalog].[set_execution_parameter_value] @execution_id ,
@object_type = 50 ,
@parameter_name =N'LOGGING_LEVEL' ,
@parameter_value =@var2 EXEC [SSISDB].[catalog].[start_execution] @execution_id GO
SSMS image of calling package: 调用程序包的SSMS图像:
1 个解决方案
解决方案1
2 2018-08-01 23:42:52
In both cases, you connect to SQL Server using your user account, which was authenticated by a domain controller when you were logging on to 在这两种情况下,您都使用用户帐户连接到SQL Server,该帐户在登录到时由域控制器进行了身份验证。
- Your client computer 您的客户端计算机
- The server running SQL Server and SSIS 运行SQL Server和SSIS的服务器
In the second case (RDP), that's like you on the server accessing the file share. 在第二种情况(RDP)中,就像您在服务器上访问文件共享一样。 In the first case (remote SSMS), you on your client computer are asking a remote SQL Server to access the file share using your security context. 在第一种情况下(远程SSMS),您在客户端计算机上要求远程SQL Server使用您的安全上下文访问文件共享。 This is called Active Directory Delegation (or “Kerberos Delegation”) and needs to be configured. 这称为Active Directory委托 (或“ Kerberos委托”),需要进行配置。 Ask your Domain Admins to create SPNs for SQL Server (or its service account) and the file server (both only if not already present). 要求您的域管理员为SQL Server(或其服务帐户)和文件服务器(仅在尚不存在时)两者创建SPN。 Then they have to configure ( allow ) Delegation from the SQL Server (or its Service account) to the file server (for example using “Active Directory Users and Computers”). 然后,他们必须配置( 允许 )从SQL Server(或其服务帐户)到文件服务器的委派 (例如,使用“ Active Directory用户和计算机”)。 This will allow SQL Server on the remote computer to communicate with a Domain Controller in order to request a service ticket (that is Kerberos speak) for the file server on behalf of you (or anyone else that is connected). 这将允许远程计算机上的SQL Server与域控制器进行通信,以便代表您(或连接的任何其他人)请求文件服务器的服务票证(即Kerberos发言)。 That service ticket is then presented to the "SMB Server" service on the file server to check your file share and NTFS permissions. 然后,该服务票证将呈现给文件服务器上的“ SMB服务器”服务,以检查文件共享和NTFS权限。
PS: If you plan to execute the package with a SQL Server Agent job using the credentials of SQL Server Agent, you don't need all that delegation. PS:如果您计划使用SQL Server Agent的凭据通过SQL Server Agent作业执行程序包,则不需要所有的委派。 Just set up the job, it can be started also from your remote SSMS session without any problem, provided that SQL Server Agent has the respective access to the file share. 只要设置好作业,只要SQL Server代理具有对文件共享的相应访问权限,就可以从您的远程SSMS会话启动它,而不会出现任何问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.