November 20, 2009 at 10:34 am
I posted this to the ASK SSC part of the site but I'm thinking perhaps this isn't a simple answer but more of a discussion issue so I'm posting it here now if that is OK.
My ASK posting: http://ask.sqlservercentral.com/questions/2036/sql-08-agent-powershell-job-fails-logon-failure-unknown-user-name-or-bad-passw
Anyway, the issue (on SQL 08):
I get the following error:
"reason: Error authenticating proxy domain\user, system error: Logon failure: unknown user name or bad password."
This happens when I start my SQL 2008 Agent job that I created.
The job is owned by my domain account, I have full sysadmin rights on the SQL 08 install.
This is running on my local machine (for dev/testing).
There is 1 step which runs a PowerShell script:
function Remove-OldFiles($folder, $logFile, $filter, $age) {
Get-ChildItem $folder* -Include $filter -Exclude $logFile | ? { $_.LastWriteTime -le (Get-Date).AddMinutes(-$age) } |Remove-Item -verbose
}
Remove-OldFiles 'c:\PSHtest\' 'DeleteLog.txt' *.txt, *.xml 3
It runs as a proxy account.
This proxy account is allowed to use the PowerShell subsystem only and as my domain account is part of sysadmin I have not assigned it to the proxy account principals list.
The proxy account uses a credential that is just my own domain account.
If I use the SQL Agent account to run the script the job does NOT fail, but the script itself cannot execute and returns errors about it not being able to access the files, but I think that is a permissions issue with SQL agent just not having access to that part of the c:\drive.
I could adjust the agent account, but wasn't going to mess with it too much as right now it is just running as LocalService.
Though I do wonder about that as now that I think about it, isn't LocalService basically an admin account?
Either way, I assigned it to run as a proxy as I will want this to run over the network when I get it working.
Which is why I assigned a proxy to run, a proxy that has access to that part of the network for testing.
Suggestions on how I can correct this?
I've seen pages that say this error may be due to the service account not being enabled for delegation. Could that be the cause of this problem?
I am not familiar with the details of delegation so if that is the reason behind it a brief explanation would be greatly appreciated.
Thank you!
November 21, 2009 at 8:31 am
I could adjust the agent account, but wasn't going to mess with it too much as right now it is just running as LocalService.
Though I do wonder about that as now that I think about it, isn't LocalService basically an admin account?
Either way, I assigned it to run as a proxy as I will want this to run over the network when I get it working.
Which is why I assigned a proxy to run, a proxy that has access to that part of the network for testing.
Suggestions on how I can correct this?
Your assumption is not correct per the link below local service is not a valid account to run SQL Server Agent because the Agent needs network permissions to perform most automation and replication related tasks. Check below for the accounts that qualify to be Agent account or Agent proxy account.
http://msdn.microsoft.com/en-us/library/ms345380.aspx
Kind regards,
Gift Peddie
November 21, 2009 at 11:26 am
It is running as Local SYSTEM, not service.
Apologies, that was my fault for typing that wrong.
But in this case it is also only on a local testing box.
November 21, 2009 at 11:49 am
Maxer (11/21/2009)
It is running as Local SYSTEM, not service.Apologies, that was my fault for typing that wrong.
But in this case it is also only on a local testing box.
Local system is the most powerful account in the system so you need to verify the Agent is on because it is disabled by default in the developer edition and check your proxy account definition. The last thing is are you sure SQL Server is running in mixed mode because if it is not running in mixed mode it cannot use an account for anything because Windows will resolve everything for you. If it is in mixed mode then try to login with the SA account first because if that fails then the system have disabled the SA account because you are using Windows authentication which means you need to enable the SA account which enables SQL authentication.
Kind regards,
Gift Peddie
December 1, 2009 at 6:11 am
That did it, I had disabled my SA account.
So I renamed it, gave it a good strong password, and then it seemed to work fine.
So does it HAVE to be mixed mode to allow proxy and use credentials that are just a windows account?
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply