SQL Agent job execution fails for domain user

  • I have an issue with my reporting services, but the underline issue is with sql agent jobs executing from a domain user account. When ever SSRS creates a subscription for a report to be schedules it in turns creates a sql agent job with the appropriate schedule with the owner of the job as the login/user that SSRS has configured as the connection to sql server, in my case its a domain user. These jobs fail when they execute with the following error.

    The job failed. Unable to determine if the owner (Domain\user) of job D6539BF7-14EE-4461-B5EE-0EDD365FCB30 has server access (reason: Could not obtain information about Windows NT group/user 'Domain\user', error code 0x5. [SQLSTATE 42000] (Error 15404)).

    Now if I change the owner to 'sa' it runs fine. This user is in the domain group "user" and is in the sysadmin role within sql server and in the administrators group on that server. I've seen suggestions to run the following command, with the following results:

    exec as login = 'DOMAIN\user'

    go

    Msg 15404, Level 16, State 19, Line 1

    Could not obtain information about Windows NT group/user 'DOMAIN\user', error code 0x5.

    Any help would be greatly appreciated

  • Hi Sean,

    This is what it says: the process probably can not access the domain controller to verify the identity of this person. It can happen if Agent or SQL Server are started on the server local account and your domain controller does not allow read for anonymous users. Also make sure this person has an INDIVIDUAL login to SQL Server, not just part of the Administartors on the server who are sysaadmins in SQL Server. We had many occasions that jobs stop running (not sure at what point, did not figure it out) but when we would add this login as an individual login in SQL Server, the job would run again.

    I also had authentication issues with global group membership. If a login is a member of a global group that has access to the resource, sometimes it takes time to verify the group membership and the error message is already posted by this time.

    Regards,Yelena Varsha

  • Thanks Yelana for the quick response,

    SQL Server service, SQL Server reporting service and sql agent all run under different domain IDs. I don't know if the DC allows for read of anonymous users, I'll have to ask the Admins on that one. The SQL Server ID, and SQL Agent ID are part of a group that has access, but the sql server reporting service ID has an individual ID within SQL Server, this last ID is the one that I'm having an issue with. Do you think that this is the problem? Or could this be a timing issue between AD and the individual server in regards to group membership verification?

    sean

  • Could be a timing issue. I had something similar with the app that gets something from the share. If a user logs in to the computer that is not part of the domain but trust the domain he gets the similar error when this app accessing the share, but if the user map the share in advance and then uses the app, everything is fine. What I would suggest is to see what account tries to access domain controller.to verify the user identity.It may be not what you think (your SSRS domain ID) , but some low-privileged local account.

    Fotr that you have to work with your domain admin, you will start the job so it gives you a message, write down the time whn you did that and ask your network admin to check the security log on the Domain Controller for this time with the client being your server

    Yelena

    Regards,Yelena Varsha

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply