I am trying to execute a powershell script from within an AFTER UPDATE SQL TRIGGER. From a component perspective the UPDATE and powershell cmd appear to function properly. However, the TRIGGER script as a whole fails at the point of executing the powershell script.
I recently discovered that to execute xp_cmdshell, it needs a user proxied to a windows account. Makes sense as anything executed outside of the SQL space needs a windows account to do so.
I then proceeded (after some research) to create the proxy user using the steps as follows
/* Enable xp_cmdshell */
EXEC sp_configure 'show advanced options', 1;
GO
RECONFIGURE;
GO
EXEC sp_configure 'xp_cmdshell', 1
RECONFIGURE
GO
/* Target DB */
USE master
/* Created a custom user with pwd */
CREATE LOGIN CustomUserX WITH PASSWORD = 'strong_password'
/* Created a user from the login */
CREATE USER CustomUserX FROM LOGIN CustomUserX
/* Granted execute for CustomUserX */
GRANT EXECUTE ON xp_cmdshell TO CustomUserX
/* Created proxy user using local machine account and pwd */
EXEC sp_xp_cmdshell_proxy_account 'LOCALMACHINENAME\WinsAccount','pwd'
/* Execute as login CustomUserX */
EXECUTE AS login = 'CustomUserX'
/* Ran simply listing of contents of drive E:/ */
EXEC xp_cmdshell 'DIR E:\*.*'
REVERT
When I tried to execute the script from with the trigger, the trigger failed with.
SQL Server Database Error: The server principal "CustomUserX" is not able to access the database "AnotherDB1" under the current security context.
I ran exec ex_cmdshell 'echo %username%
only to discover the "CustomUserX" account is not listed (only SQL$.., and NULL).
The above proxy scripts were executed for the master table as suggested. Would I need to do the same thing under the db instance ("AnotherDB1") as well?
you need to grant the user to use the database
https://docs.microsoft.com/en-us/sql/t-sql/statements/grant-database-permissions-transact-sql
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.