Error While Deploying SSIS 2012 project from SSDT to SSIS Catalog : System.ComponentModel.Win32Exception: A required privilege is not held by the client
A .NET Framework error occurred during execution of user-defined routine or aggregate "deploy_project_internal": System.ComponentModel.Win32Exception: A required privilege is not held by the client.
I ran across this issue in one of my newly set up Sql 2012 Servers when I tried to deploy a project to the SSIS Catalog using the Project Deployment Model. I set Sql 2012 up in 3-4 of my servers and never encountered this before. I was using my same domain account across all the Servers. I tried to grab a profiler but could not find any calls to the system stored procedures used for deployment, so my guess was the call is not even reaching to Sql.
After spending a few hours, I was actually able to get past the problem even though I’m not sure if I found out the exact cause! In this case, I’m pretty sure that SSIS is doing a CreateProcessAsUser() using my account credentials, and the SQL/Agent service account is not involved. The SSIS Catalog only accepts Windows Auth (because it does account impersonation during deployment, validation and execution).
Since the deployment process is making call to an executable residing in the file system (outside of Sql), I suspected that the Sql Server Service Account would come into question . I changed the Sql Server Service Account from built in default “Nt Service\MSSQLSERVER” (New account introduced in Denali) to another account with admin rights on the system and VOILA!! it started working.
This seems to be an issue specific to the Sql Service account permissions; however I could not reproduce the problem in my other machines though my service runs as “Nt Service\MSSQLSERVER”. I believe it has something to do with the group policy. SSIS is launching the external process to do the deployment (ISServerExec) in much the same way that SQL Agent runs its jobs. In similar SQL Agent cases, it looked like service account requires the “Act as part of the operating system” account policy.
Author : Debarchan(MSFT) SQL Developer Engineer, Microsoft
Reviewed by : Snehadeep(MSFT), SQL Developer Technical Lead , Microsoft
Comments
Anonymous
January 21, 2013
I havent restarted the SQL service after changing the settings and this didnt resolve my issue... Do I need to restart the service too ? Please be clear. Thanks !Anonymous
January 21, 2013
Please specify the changes performed by you. Did you try changing the SQL Server service account to run under any local admin account. Any changes to the service account will automatically request for the service restart. or if you talking about “Act as part of the operating system” account policy, then this change wouldn't require any restart of the service. Please let us know about the changes performed by you.Anonymous
January 21, 2013
About this change : -- talking about “Act as part of the operating system” account policy, then this change wouldn't require any restart of the service. It definitely needed a machine reboot ! and it fixed my issue. I went back and did my own research work and learnt that Act as a part of the operating system doesn't get initialized unless the OS is rebooted [as per Mark Russ ( Windows Guru )]. Please make the necessary change to your article , so that it will help others like me ( and they don't end up wasting their time ).Anonymous
February 20, 2013
Max, Thanks, will update the article accordingly.Anonymous
May 07, 2013
Any updates on what causes this? And if there is a hotifx available? I might be able to fix the problem, but it might return at any moment as well... Thanks in advance!Anonymous
May 08, 2013
Also, these rights/policy changes didn't work for me. I had to repair my SQL Server install and then it worked again.Anonymous
May 15, 2013
...and then it stopped working again. Have done the repair again and that fixed it, but I'm afraid the problem will re-appear after the next reboot :-/Anonymous
May 15, 2013
Jorg, This seems to be lingering. Is there a way you could open a support request with Microsoft PSS to investigate this further?Anonymous
July 01, 2013
The comment has been removedAnonymous
July 01, 2013
The comment has been removedAnonymous
July 16, 2013
Happen to resolve this issue with one of my customers after following the below steps. -> Note down your SQL Server Service account & SQL Agent Service account. -> Go to Start-> Run-> secpol.msc-> Local Policies->User Rights Assignment check if these 2 accounts are a part of the following policies. -> Log on as a service -> Act as part of OS -> Adjust memory quotas -> Logon as batch job -> Replace a process level token -> If not, add them explicitly. -> Reboot the machine. Be sure that the domain level group policy settings aren't overriding these settings. [Note: Any deny permissions will have precedence over grant permissions]Anonymous
September 14, 2013
Realy suffered by this issue. What is solution to fix this one?Anonymous
September 30, 2013
Hi, the missing permission is the following: Replace a process-level token (SeAssignPrimaryTokenPrivilege). Apply this right to the SQL-Engine-Account and restart the Engine. Then the deployment should work again. See: blog.oraylis.de/.../fixing-sql-2012-ssis-deployment-error-6522-a-required-privilege-is-not-held-by-the-clientAnonymous
June 01, 2014
Guys, I followed both these links blog.oraylis.de/.../fixing-sql-2012-ssis-deployment-error-6522-a-required-privilege-is-not-held-by-the-client blogs.msdn.com/.../system-componentmodel-win32exception-a-required-privilege-is-not-held-by-the-client-while-deploying-ssis-project.aspx and above steps, But none of them solved my problem. Then I repaired my SQL Server instance which fixed my issue. ThanksAnonymous
May 13, 2015
Based on my observation, this happens when the SQL Server is set to run under the built in network account, but the Agent under a Windows account. So the security handshake does not occur (no delegation). Thus the remedy is in having the both services run under the same account.Anonymous
August 24, 2015
Your suggestion did not work for me. What did end up working was the following: blog.oraylis.de/.../fixing-sql-2012-ssis-deployment-error-6522-a-required-privilege-is-not-held-by-the-client- Anonymous
March 30, 2016
The comment has been removed
- Anonymous
Anonymous
October 11, 2016
This wouldn't happen to have anything to do with the 'Allow logon locally' user rights in Group policy? Like SSRS, SSRS not able to use a runas account unless it has the allow logon locally rights.Anonymous
April 19, 2017
The comment has been removed- Anonymous
April 19, 2017
Forgot to add, After making the change, it now worked for me, no more errors after four months
- Anonymous
Anonymous
August 24, 2017
The comment has been removedAnonymous
January 13, 2019
This error just showed up for me after installing a Windows Server 2016 update. Beware! All the SSIS jobs on the server stopped working, and producing this error. Then I learned it wasn't necessarily SQL Agent, since I also had the error come up when trying to deploy projects via SSMS > Integration Services Catalog > Deploy Project. Tried uninstalling the update but that didn't work. I didn't have access to some of the other things I read about. I finally tried a SQL Server repair on the instance and that most fortunately fixed it.