SSIS：將文件寫入網絡共享包-調用程序包（RDP與遠程）

Question

我有一個SSIS包，可將.TXT數據文件寫入文件夾。 我在本地計算機上對此進行了測試：SSIS包已成功寫入（到我的C盤-C：\\ myPath）。

然后部署到服務器：程序包無法寫入（到網絡文件共享-\\ myDomain \\ Folder1 \\ Folder2）。

我的用戶帳戶有權訪問該文件夾。 從服務器，我嘗試了兩種不同的方式執行程序包：

1）通過SSMS使用我的用戶憑據從我的計算機進行遠程連接（程序包無法寫入文件）。 Remote session execution on my PC is not working.

2）具有通過我的用戶憑據通過SSMS與MYSERVER進行遠程桌面連接的RDP（程序包成功寫入了文件）。 I am able to run it from the RDP session on MYSERVER and the file was written succesfully.

總結：該程序包有效，但無效。 我們的一位網絡管理員添加了MYSERVER來訪問該文件夾-這可能是我可以從RDP會話執行它的原因。

確切的錯誤消息是“無法打開數據文件”：

我的問題：

A）有誰知道為什么當我使用相同的用戶帳戶以兩種不同方式（本地連接與服務器RDP）執行該程序包時該程序包失敗？

B）是否有人對我如何授予用戶自己調用程序包的訪問權限有建議？ 程序包有兩個輸入參數（具有默認值）供用戶輸入。

_

來自我的網絡管理員的消息：

Your id is in the proper group to access the share and I even see numerous updates to the folder from your ID and yet I also find this.

Log Name:      Microsoft-Windows-SMBServer/Security
Source:        Microsoft-Windows-SMBServer
Date:          6/12/2018 9:01:21 AM
Event ID:      1006
Task Category: (1006)
Level:         Error
Keywords:      Audit Failure,(8)
User:          SYSTEM
Computer:      mySERVER.myDOMAIN
Description:
The share denied access to the client.
Client Name: \\10.26.151.96
Client Address: 10.26.151.96:57626
User Name: myDOMAIN\myUser
Session ID: 0x16C029C000581
Share Name: \\*\DIXFDev
Share Path: \??\D:\Shares\DIXFDev
Status: {Access Denied}
A process has requested access to an object, but has not been granted those access rights. (0xC0000022)
Mapped Access: 0x80080
Granted Access: 0x0
Security Descriptor: 0x0100048058000000680000000000000014000000020044000200000000031800FF011F000102000000000005200000002002000000002400BF011300010500000000000515000000007B755294545B7AB2192C25066D000001020000000000052000000020020000010500000000000515000000007B755294545B7AB2192C2500020000
Guidance:
You should expect access denied errors when a principal accesses a share without the necessary permissions. Usually, this indicates that the principal does not have direct security permissions or lacks membership in a group that has direct access permissions. To determine and correct the permissions on the specified share, an administrator can use the Security tab in File Explorer Properties dialog, the SMBSHARE Windows PowerShell module, or the NET SHARE command. You can also use the Effective Access tab in File Explorer to help diagnose the issue.
Applications may generate access denied errors if they attempt to open files in a writable mode first, and then reopen the files in a read-only mode. In this case, no user action is required.
If access to the share is denied and this event is not logged, you can examine the file and folder NTFS/REFS permissions.
This error does not indicate a problem with authentication, only authorization.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-SMBServer" Guid="{D48CE617-33A2-4BC3-A5C7-11AA4F29619E}" />
    <EventID>1006</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>1006</Task>
    <Opcode>0</Opcode>
    <Keywords>0x810000000000008</Keywords>
    <TimeCreated SystemTime="2018-06-12T14:01:21.342045500Z" />
    <EventRecordID>357496420</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="2680" />
    <Channel>Microsoft-Windows-SMBServer/Security</Channel>
    <Computer>mySERVER.myDOMAIN</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <UserData>
    <EventData xmlns="Smb2Namespace">
      <ShareNameLength>11</ShareNameLength>
      <ShareName>\\*\DIXFDev</ShareName>
      <SharePathLength>21</SharePathLength>
      <SharePath>\??\D:\Shares\DIXFDev</SharePath>
      <ClientAddressLength>128</ClientAddressLength>
      <ClientAddress>0200E11A0A1A976000000000000000000000FFFF0A1A97600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</ClientAddress>
      <UserNameLength>14</UserNameLength>
      <UserName>myDOMAIN\bl0040</UserName>
      <ClientNameLength>14</ClientNameLength>
      <ClientName>\\10.26.151.96</ClientName>
      <MappedAccess>0x80080</MappedAccess>
      <GrantedAccess>0x0</GrantedAccess>
      <ShareSecurityDescriptorLength>132</ShareSecurityDescriptorLength>
      <ShareSecurityDescriptor>0100048058000000680000000000000014000000020044000200000000031800FF011F000102000000000005200000002002000000002400BF011300010500000000000515000000007B755294545B7AB2192C25066D000001020000000000052000000020020000010500000000000515000000007B755294545B7AB2192C2500020000</ShareSecurityDescriptor>
      <Status>0xc0000022</Status>
      <TranslatedStatus>0xc0000022</TranslatedStatus>
      <SessionID>0x16c029c000581</SessionID>
    </EventData>
  </UserData>
</Event>

從SSMS RDP會話創建的具有參數值的腳本：

DECLARE
        @execution_id bigint EXEC [SSISDB].[catalog].[create_execution] @package_name=N'FYE AP AuditFile_rep238.dtsx', @execution_id=@execution_id OUTPUT, @folder_name=N'IsolatedPackages', @project_name=N'FYE AP AuditFile_rep238', @use32bitruntime=False, @reference_id=56
        SELECT
                @execution_id DECLARE @var0 sql_variant = N'\\MYSERVER\folder1\folder2\SSISPackages\FYEAPAuditFile\audit-file-ap_ax-export_REP238_piped.txt' EXEC [SSISDB].[catalog].[set_execution_parameter_value] @execution_id,
                @object_type                            =                                                                                                                                                                30           ,
                @parameter_name                         =N'paramFilePath'                                                                                                                                                             ,
                @parameter_value                        =@var0 DECLARE @var1 sql_variant = N'2017' EXEC [SSISDB].[catalog].[set_execution_parameter_value] @execution_id                                                              ,
                @object_type                            =                                                                                                  30                                                                         ,
                @parameter_name                         =N'paramYear'                                                                                                                                                                 ,
                @parameter_value                        =@var1 DECLARE @var2 SMALLINT = 1 EXEC [SSISDB].[catalog].[set_execution_parameter_value] @execution_id                                                                       ,
                @object_type                            =                                                                                         50                                                                                  ,
                @parameter_name                         =N'LOGGING_LEVEL'                                                                                                                                                             ,
                @parameter_value                        =@var2 EXEC [SSISDB].[catalog].[start_execution] @execution_id GO

調用程序包的SSMS圖像：

Answer 1

在這兩種情況下，您都使用用戶帳戶連接到SQL Server，該帳戶在登錄到時由域控制器進行了身份驗證。

1. 您的客戶端計算機
2. 運行SQL Server和SSIS的服務器

在第二種情況（RDP）中，就像您在服務器上訪問文件共享一樣。 在第一種情況下（遠程SSMS），您在客戶端計算機上要求遠程SQL Server使用您的安全上下文訪問文件共享。 這稱為Active Directory委托 （或“ Kerberos委托”），需要進行配置。 要求您的域管理員為SQL Server（或其服務帳戶）和文件服務器（僅在尚不存在時）兩者創建SPN。 然后，他們必須配置（ 允許 ）從SQL Server（或其服務帳戶）到文件服務器的委派 （例如，使用“ Active Directory用戶和計算機”）。 這將允許遠程計算機上的SQL Server與域控制器進行通信，以便代表您（或連接的任何其他人）請求文件服務器的服務票證（即Kerberos發言）。 然后，該服務票證將呈現給文件服務器上的“ SMB服務器”服務，以檢查文件共享和NTFS權限。

PS：如果您計划使用SQL Server Agent的憑據通過SQL Server Agent作業執行程序包，則不需要所有的委派。 只要設置好作業，只要SQL Server代理具有對文件共享的相應訪問權限，就可以從您的遠程SSMS會話啟動它，而不會出現任何問題。