xp_cmdshell user is not listing newly created user “CustomUserX”

Question

I am trying to execute a powershell script from within an AFTER UPDATE SQL TRIGGER. From a component perspective the UPDATE and powershell cmd appear to function properly. However, the TRIGGER script as a whole fails at the point of executing the powershell script.

I recently discovered that to execute xp_cmdshell, it needs a user proxied to a windows account. Makes sense as anything executed outside of the SQL space needs a windows account to do so.

I then proceeded (after some research) to create the proxy user using the steps as follows

/* Enable xp_cmdshell */
EXEC sp_configure 'show advanced options', 1;  
GO  
RECONFIGURE;  
GO  
EXEC sp_configure 'xp_cmdshell', 1
RECONFIGURE
GO

/* Target DB */
USE master

/* Created a custom user with pwd */
CREATE LOGIN CustomUserX WITH PASSWORD = 'strong_password'

/* Created a user from the login */
CREATE USER CustomUserX FROM LOGIN CustomUserX

/* Granted execute for CustomUserX */
GRANT EXECUTE ON xp_cmdshell TO CustomUserX

/* Created proxy user using local machine account and pwd */
EXEC sp_xp_cmdshell_proxy_account 'LOCALMACHINENAME\WinsAccount','pwd'

/* Execute as login CustomUserX */
EXECUTE AS login = 'CustomUserX'

/* Ran simply listing of contents of drive E:/ */
EXEC xp_cmdshell 'DIR E:\*.*'
REVERT

When I tried to execute the script from with the trigger, the trigger failed with.

SQL Server Database Error: The server principal "CustomUserX" is not able to access the database "AnotherDB1" under the current security context.

I ran exec ex_cmdshell 'echo %username% only to discover the "CustomUserX" account is not listed (only SQL$.., and NULL).

The above proxy scripts were executed for the master table as suggested. Would I need to do the same thing under the db instance ("AnotherDB1") as well?

Answer 1

you need to grant the user to use the database

https://docs.microsoft.com/en-us/sql/t-sql/statements/grant-database-permissions-transact-sql