Comments on: How To: SQL Server Bulk Insert with Constrained Delegation (Access is Denied)

By: me7hos

me7hos — Thu, 14 Mar 2013 22:00:14 +0000

In the testing section, shouldn’t the screenshot show the connection coming from TRINITY1 instead of MORPHEUS1 since it was stated that the connection should be made from the client machine?

By: eddy

eddy — Fri, 11 Jan 2013 16:16:13 +0000

The scenario/requirement here is:

‘In an ideal scenario, here is how I want things to work. When a client application runs the SQL BULK INSERT command logged in as Domain\appadmin account to SQL Server, I want the same appadmin account to access the remote file share and read the data.

1. If a user uses a SQL Server login to connect to SQL, then the SQL Service account credentials are used to access the remote file share.

2. If a user uses a Windows account, then his own account is used to access the file share and for this to work successfully, delegation has to be configured.’

If the requirement is:

1. the application uses a specific Domain\SQL_ACCT_ID to access SQL2008/R2
2. the application uses a specific Domain\Windows_ACCT_ID through impersonation to read/write files in File Share through Bulk Insert command.

Can we use the same delegation setting to make it work?
If not, what are the alterations?

Thanks.

By: Sudarshan Narasimhan

Sudarshan Narasimhan — Tue, 27 Nov 2012 17:14:15 +0000

Hi Julia,

I must’ve missed this comment earlier. Regarding your question on Delegation when SQL is running under a built-in account like Local System, please check if Delegation has been setup as described in my post.
When SQL Server is running under [NT AUTHORITY\SYSTEM], you need to enable delegation for the machine account, which in this case would be the SQL Server machine. The machine account e.g. DOMAIN\SQLMACHINE$ will be used to pass on your windows credentials when accessing the share. For LocalSystem SQL Server self-registers SPN during startup. Check the errorlog to see if this happening or SPN Registration is throwing errors.

Find the Computer Object for the SQL Server machine in AD and set the option “Trust this computer for delegation”. Also, the file share/file server where the file is located, you need to check if the 2 HOST SPN’s are present. E.g. If the machine name where the file is located is FSHARE1, then you should see 2 spn’s called HOST/FSHARE1 and HOST/FSHARE1.corp.domain.com. The HOST SPN’s are required because CIFS is covered under this.

Note: All of the above is assuming you are setting up unconstrained delegation (to any service).

By: SQL server BULK INSERT fails, with access denied error

SQL server BULK INSERT fails, with access denied error — Thu, 04 Oct 2012 16:10:00 +0000

[...] Found this query raised earlier and this post, but both of them talks about the case were Windows authentication is used (which is not the case here). DBA here strictly does not allow permission for SQL service account for the shared folder citing security violations [...]

By: Sudarshan Narasimhan

Sudarshan Narasimhan — Tue, 11 Sep 2012 15:14:29 +0000

Well you don’t provide any information at all apart from “its not working”. Are you using constrained or un-constrained delegation. It is mandatory to have CIFS enabled for the SQL Server machine account. Please refer http://blogs.msdn.com/b/psssql/archive/2012/09/07/bulk-insert-and-kerberos.aspx and see if you can follow this to implement your delegation.

By: Sudarshan Narasimhan

Sudarshan Narasimhan — Thu, 23 Aug 2012 23:22:30 +0000

Thank you Park, really appreciate your comments.. Stay subscribed for more SQL stuff on this site. Cheers!

By: Julia

Julia — Thu, 23 Aug 2012 15:19:36 +0000

Hi, I’m a SSIS developer. I’m working on a project on which the Server\Machine setup is as same as what you descripted here except our SQL Server service is running under local system. I got Access Denied error when executing the Bulk Insert on the Client machine. I was using Windows Authentication to for all SQL Server logins and my ID has Admin access to SQL Server and Read\Write access to the Shared file fold. Could you please explain how the delegation would setup differently for SQL Server service is running under local system? Thanks in advance.

By: Park

Park — Wed, 22 Aug 2012 16:02:27 +0000

Very thanks for your good post. I’ve spent more than a half day for this problem and you solved my pain. This is one of the nicest article on the web and detailed documentation. A few good man!!!

By: Nicky

Nicky — Tue, 21 Aug 2012 07:14:56 +0000

What can you test if you’ve implemented the above steps and it still doesn’t work? I’m still getting the error in the event log.

By: Sudarshan Narasimhan

Sudarshan Narasimhan — Thu, 23 Feb 2012 16:33:47 +0000

Hi Alex,
Good point. Constrained delegation was introduced to specifically grant delegation privileges to just those services that needed it & were trustworthy. Now there are 2 possible scenarios here depending on what account the service runs under. If the service is using a computer account like [NT Authority\System], then the “Trust this computer for delegation” is required. Whereas if its running as a Domain account then “Trust this user for delegation” is required.

I haven’t yet had time to test turning off machine delegation in this bulk insert scenario. I will post back my results once I can do that.