SSIS：将文件写入网络共享包-调用程序包（RDP与远程）

Question

我有一个SSIS包，可将.TXT数据文件写入文件夹。 我在本地计算机上对此进行了测试：SSIS包已成功写入（到我的C盘-C：\\ myPath）。

然后部署到服务器：程序包无法写入（到网络文件共享-\\ myDomain \\ Folder1 \\ Folder2）。

我的用户帐户有权访问该文件夹。 从服务器，我尝试了两种不同的方式执行程序包：

1）通过SSMS使用我的用户凭据从我的计算机进行远程连接（程序包无法写入文件）。 Remote session execution on my PC is not working.

2）具有通过我的用户凭据通过SSMS与MYSERVER进行远程桌面连接的RDP（程序包成功写入了文件）。 I am able to run it from the RDP session on MYSERVER and the file was written succesfully.

总结：该程序包有效，但无效。 我们的一位网络管理员添加了MYSERVER来访问该文件夹-这可能是我可以从RDP会话执行它的原因。

确切的错误消息是“无法打开数据文件”：

我的问题：

A）有谁知道为什么当我使用相同的用户帐户以两种不同方式（本地连接与服务器RDP）执行该程序包时该程序包失败？

B）是否有人对我如何授予用户自己调用程序包的访问权限有建议？ 程序包有两个输入参数（具有默认值）供用户输入。

_

来自我的网络管理员的消息：

Your id is in the proper group to access the share and I even see numerous updates to the folder from your ID and yet I also find this.

Log Name:      Microsoft-Windows-SMBServer/Security
Source:        Microsoft-Windows-SMBServer
Date:          6/12/2018 9:01:21 AM
Event ID:      1006
Task Category: (1006)
Level:         Error
Keywords:      Audit Failure,(8)
User:          SYSTEM
Computer:      mySERVER.myDOMAIN
Description:
The share denied access to the client.
Client Name: \\10.26.151.96
Client Address: 10.26.151.96:57626
User Name: myDOMAIN\myUser
Session ID: 0x16C029C000581
Share Name: \\*\DIXFDev
Share Path: \??\D:\Shares\DIXFDev
Status: {Access Denied}
A process has requested access to an object, but has not been granted those access rights. (0xC0000022)
Mapped Access: 0x80080
Granted Access: 0x0
Security Descriptor: 0x0100048058000000680000000000000014000000020044000200000000031800FF011F000102000000000005200000002002000000002400BF011300010500000000000515000000007B755294545B7AB2192C25066D000001020000000000052000000020020000010500000000000515000000007B755294545B7AB2192C2500020000
Guidance:
You should expect access denied errors when a principal accesses a share without the necessary permissions. Usually, this indicates that the principal does not have direct security permissions or lacks membership in a group that has direct access permissions. To determine and correct the permissions on the specified share, an administrator can use the Security tab in File Explorer Properties dialog, the SMBSHARE Windows PowerShell module, or the NET SHARE command. You can also use the Effective Access tab in File Explorer to help diagnose the issue.
Applications may generate access denied errors if they attempt to open files in a writable mode first, and then reopen the files in a read-only mode. In this case, no user action is required.
If access to the share is denied and this event is not logged, you can examine the file and folder NTFS/REFS permissions.
This error does not indicate a problem with authentication, only authorization.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-SMBServer" Guid="{D48CE617-33A2-4BC3-A5C7-11AA4F29619E}" />
    <EventID>1006</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>1006</Task>
    <Opcode>0</Opcode>
    <Keywords>0x810000000000008</Keywords>
    <TimeCreated SystemTime="2018-06-12T14:01:21.342045500Z" />
    <EventRecordID>357496420</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="2680" />
    <Channel>Microsoft-Windows-SMBServer/Security</Channel>
    <Computer>mySERVER.myDOMAIN</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <UserData>
    <EventData xmlns="Smb2Namespace">
      <ShareNameLength>11</ShareNameLength>
      <ShareName>\\*\DIXFDev</ShareName>
      <SharePathLength>21</SharePathLength>
      <SharePath>\??\D:\Shares\DIXFDev</SharePath>
      <ClientAddressLength>128</ClientAddressLength>
      <ClientAddress>0200E11A0A1A976000000000000000000000FFFF0A1A97600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</ClientAddress>
      <UserNameLength>14</UserNameLength>
      <UserName>myDOMAIN\bl0040</UserName>
      <ClientNameLength>14</ClientNameLength>
      <ClientName>\\10.26.151.96</ClientName>
      <MappedAccess>0x80080</MappedAccess>
      <GrantedAccess>0x0</GrantedAccess>
      <ShareSecurityDescriptorLength>132</ShareSecurityDescriptorLength>
      <ShareSecurityDescriptor>0100048058000000680000000000000014000000020044000200000000031800FF011F000102000000000005200000002002000000002400BF011300010500000000000515000000007B755294545B7AB2192C25066D000001020000000000052000000020020000010500000000000515000000007B755294545B7AB2192C2500020000</ShareSecurityDescriptor>
      <Status>0xc0000022</Status>
      <TranslatedStatus>0xc0000022</TranslatedStatus>
      <SessionID>0x16c029c000581</SessionID>
    </EventData>
  </UserData>
</Event>

从SSMS RDP会话创建的具有参数值的脚本：

DECLARE
        @execution_id bigint EXEC [SSISDB].[catalog].[create_execution] @package_name=N'FYE AP AuditFile_rep238.dtsx', @execution_id=@execution_id OUTPUT, @folder_name=N'IsolatedPackages', @project_name=N'FYE AP AuditFile_rep238', @use32bitruntime=False, @reference_id=56
        SELECT
                @execution_id DECLARE @var0 sql_variant = N'\\MYSERVER\folder1\folder2\SSISPackages\FYEAPAuditFile\audit-file-ap_ax-export_REP238_piped.txt' EXEC [SSISDB].[catalog].[set_execution_parameter_value] @execution_id,
                @object_type                            =                                                                                                                                                                30           ,
                @parameter_name                         =N'paramFilePath'                                                                                                                                                             ,
                @parameter_value                        =@var0 DECLARE @var1 sql_variant = N'2017' EXEC [SSISDB].[catalog].[set_execution_parameter_value] @execution_id                                                              ,
                @object_type                            =                                                                                                  30                                                                         ,
                @parameter_name                         =N'paramYear'                                                                                                                                                                 ,
                @parameter_value                        =@var1 DECLARE @var2 SMALLINT = 1 EXEC [SSISDB].[catalog].[set_execution_parameter_value] @execution_id                                                                       ,
                @object_type                            =                                                                                         50                                                                                  ,
                @parameter_name                         =N'LOGGING_LEVEL'                                                                                                                                                             ,
                @parameter_value                        =@var2 EXEC [SSISDB].[catalog].[start_execution] @execution_id GO

调用程序包的SSMS图像：

Answer 1

在这两种情况下，您都使用用户帐户连接到SQL Server，该帐户在登录到时由域控制器进行了身份验证。

1. 您的客户端计算机
2. 运行SQL Server和SSIS的服务器

在第二种情况（RDP）中，就像您在服务器上访问文件共享一样。 在第一种情况下（远程SSMS），您在客户端计算机上要求远程SQL Server使用您的安全上下文访问文件共享。 这称为Active Directory委托 （或“ Kerberos委托”），需要进行配置。 要求您的域管理员为SQL Server（或其服务帐户）和文件服务器（仅在尚不存在时）两者创建SPN。 然后，他们必须配置（ 允许 ）从SQL Server（或其服务帐户）到文件服务器的委派 （例如，使用“ Active Directory用户和计算机”）。 这将允许远程计算机上的SQL Server与域控制器进行通信，以便代表您（或连接的任何其他人）请求文件服务器的服务票证（即Kerberos发言）。 然后，该服务票证将呈现给文件服务器上的“ SMB服务器”服务，以检查文件共享和NTFS权限。

PS：如果您计划使用SQL Server Agent的凭据通过SQL Server Agent作业执行程序包，则不需要所有的委派。 只要设置好作业，只要SQL Server代理具有对文件共享的相应访问权限，就可以从您的远程SSMS会话启动它，而不会出现任何问题。