Compartilhar via


Permissions needed to set up linked server with out-of-process provider

When setting up linked server to third-party Databases, it is recommended to run the third-party provider in out-of-process mode, because when the provider is run in-process (within the same process as SQL Server), then any issues with the provider can affect SQL Server process which could also result in crashing SQL server.

 To how to set a provider to run out-of-process, uncheck "Allow In Process" property of the provider:

 

clip_image002

There are certain permissions that have to be set on MSDAINITIALIZE to be able to initialize the provider out-of-process and run linked server queries successfully locally and remotely.

MSDAINITIALIZE is a COM class that is provided by OLE DB. This class can parse OLE DB connection strings and load/initialize the provider based on property values in the connection string.

MSDAINITILIAZE is initiated by users connected to SQL Server. If windows authentication is used to connect to SQL Server, then the provider is initialized under the logged in user account. If the logged in user is a SQL login, then provider is initialized under SQL Server service account. Based on the type of login used, permissions on MSDAINITIALIZE have to be provided accordingly.

When these permissions are not set for the logged in users, we get Access Denied errors as below:

Msg 7399, Level 16, State 1, Line 1

The OLE DB provider "Microsoft.Jet.OLEDB.4.0" for linked server "(null)" reported

an error. Access denied.

Msg 7301, Level 16, State 2, Line 1

Cannot obtain the required interface ("IID_IDBCreateCommand") from OLE DB provider

"Microsoft.Jet.OLEDB.4.0" for linked server "(null)".

 

Failed to retrieve data for this request. (Microsoft.SqlServer.SmoEnum)

An exception has occurred while executing a Transact-SQL statement or batch.

(Microsoft.SqlServer.ConnectionInfo)

The OLEDB Provider "MSDAORA" for linked server <linked server name> reported an

error. Access denied.

Cannot obtain the required interface ("IID_IDBSchemaRowSet") from OLE DB provider

"MSDAORA" for linked server "<linked server name>". (Microsoft SQL Server, Error: 7399)

 

Msg 7399, Level 16, State 1, Line 1

The OLE DB provider "IBMDADB2.DB2COPY1" for linked server "<linked server name>" reported an error. Access denied.

Msg 7301, Level 16, State 2, Line 1

Cannot obtain the required interface ("IID_IDBCreateCommand") from OLE DB provider "IBMDADB2.DB2COPY1" for linked server "<linked server name>".

 

Server: Msg 7302, Level 16, State 1, Line 1

Could not create an instance of OLE DB provider 'MSDAORA'.

OLE DB error trace [Non-interface error: CoCreate of DSO for MSDAORA returned

0x80070005].

 

0x80070005 - Essentially implies Access denied.

To be able to execute linked server queries, also set RPC OUT to true on the linked server properties.

Permissions needed to set up linked server with out-of-process provider:

Verify below settings in DCOMCNFG:   Start --> Run –> Dcomcnfg

1. Component services -->My Computer ---> Properties verify that below options are set:

 In the 'Default Properties' tab:

- 'Enable Distributed COM on this computer' is checked.

- Default Authentication = Connect.

- Default Impersonation Level = Identify or Impersonate.

2. Component services --> My computer --> DCOM Config --> MSDAINITIALIZE

-Right click on MSDAINITIALIZE --> Properties -->Security

-Add the SQL Server service account (if connected to SQL server using SQL login) or windows user account under "Launch and Activation Permissions", "Access permissions" and "Configuration Permissions".

-Give full rights to these accounts.

-Restart the server

3) Go to dcomcnfg > My computer > Properties > COM Security > Edit Defaults for Access Permissions & Launch and Activation Permissions, and add the SQL Proxy account.

Follow these instructions to be able to edit above DCOM settings on Windows Vista/2008 machine, per

https://blogs.msdn.com/emeadaxsupport/archive/2010/01/26/unable-to-edit-the-dcom-settings-for-iis-wamreg-admin-service-on-a-windows-server-2008-r2-when-trying-to-configure-kerberos-authentication-for-role-centers.aspx

1. Grab the APP ID from the General tab of MSDAINITIALIZE Properties. It should be 2206CDB0-19C1-11D1-89E0-00C04FD7A829

 

clip_image004

 

Using regedit, search for the key in the registry. You should find it at HKEY_CLASSES_ROOT\AppID\{2206CDB0-19C1-11D1-89E0-00C04FD7A829}

Next, follow these instructions to change permissions.

1. Secondary-mouse click on the {2206CDB0-19C1-11D1-89E0-00C04FD7A829} key and select Permissions menu option.

2. Click the Advanced button in the Permissions window and select the Owner tab. Under Change owner to select the local Administrators group and click on Apply/OK and then click Ok again.

3. Then under Permissions window, select the local Administrators group and under Permissions for Administrators select Full Control.

NOTE: DO NOT modify/change any permissions for the TrustedInstaller account.

4. Click on Apply or OK to make the changes effective.

5. Re-run the Computer Services management console (dcomcnfg.exe) and you should now be able to modify the settings for MSDAINITIALIZE package.

6. After making the necessary changes as mentioned above, reset the permissions for the above registry key in the registry settings back to its defaults:

 - First make the account "NT SERVICE\TrustedInstaller" from the local computer the Owner of the key and then remove Full Control access for the Administrators group, and leave it with only Read access.

Author : Aruna(MSFT), SQL Developer Engineer, Microsoft 

Reviewed by : Azim(MSFT), SQL Developer Technical Lead , Microsoft

Comments

  • Anonymous
    January 13, 2011
    Most valuable. This exactly what was my problem. Nevertheless, quite a shame on the way this needs to be fixed.

  • Anonymous
    February 24, 2011
    Hello Matt, Thank you for your feedback. Could you expand a little why you are not satified with the resolution? Thank you, Aruna (MSFT)

  • Anonymous
    March 14, 2011
    Thank you so much for this post. I have been struggling for days trying to fix this problem. Your solution worked perfectly :)

  • Anonymous
    December 07, 2011
    Of course you work for MS. How would one otherwise figure this out for oneself? Great info. Thx

  • Anonymous
    June 08, 2012
    This was very helpful.  Thanks a lot.

  • Anonymous
    June 12, 2012
    Hallo, den Punkt "Component services --> My computer --> DCOM Config --> MSDAINITIALIZE " kann ich nicht ausführen, weil in den MSDAINITIALIZE Properties - Tab Security - alles ausgegraut ist.

  • Anonymous
    June 12, 2012
    The comment has been removed

  • Anonymous
    September 13, 2012
    Ralf Wastl,Entnehmen Sie bitte den Anweisungen unter Schritt 3 in dem Artikel oben.

  • Anonymous
    October 09, 2013
    Thanks, It works.

  • Anonymous
    November 10, 2013
    Our nightly refresh would intermittently fail causing the server to hang. This fixed the issue, thank you!! Config: SQL2008,Linked Server to AS400

  • Anonymous
    December 02, 2013
    The comment has been removed

  • Anonymous
    June 04, 2014
    In may case it didn't work, I'm using Windows 8 and SQL Server 2012. Can you help me please?

  • Anonymous
    July 05, 2014
    In the property of MSDAINITIALIZE. Only the General Tab has an entry. All other tabs (rather fields in them) are disabled. The work around suggested needs so many tweaks one wondera whether it is worth. By the way the first screen you show is default and so are the dconfig's defaults.

  • Anonymous
    October 29, 2014
    This is truly a great write-up - never once in my experience with data connections have I had to mess with MSDAINITIALIZE, so it's great to find a clear online resource which solves the issue. I should note that Step 2 was unnecessary (as I discovered when the options were completely disabled).  Skipping that and proceeding to implement Step 3 was sufficient to enable remote OLE DB connectivity.

  • Anonymous
    January 13, 2015
    The comment has been removed

  • Anonymous
    March 15, 2015
    Thank you very much! Solved my problem with accessing a linked oracle db.

  • Anonymous
    June 01, 2015
    The comment has been removed

  • Anonymous
    June 13, 2015
    Thank you man. You saved my life :D

  • Anonymous
    December 21, 2015
    run sql sserver managment studio as administrator worked for me

  • Anonymous
    May 26, 2016
    The comment has been removed

    • Anonymous
      June 15, 2016
      The comment has been removed
    • Anonymous
      March 28, 2017
      ¿ Did you Fix the Error ?
  • Anonymous
    July 19, 2016
    Thanks a lot. It works!!

  • Anonymous
    November 14, 2016
    I tried to change the security of MSDAINITIALIZE, I setup the "Dynamic Parameter" and "Allow inprocess" in the provider-properties, though I always become the error-message 7399 - object cannot be initialized.The command is: "exec sp_addlinkedserver @server='REPORTABSENCE1', @srvproduct='Excel', @provider='Microsoft.ACE.OLEDB.12.0', @datasrc=local_path\file_name.xlsx', @provstr='Excel 12.0;HEADER=No'"I spent hours to solve this issue. There is no problem with xls-files, but for xlsx I get this error-message each time.

  • Anonymous
    January 27, 2017
    What do you mean by SQL Proxy account in this context?

  • Anonymous
    March 23, 2017
    The comment has been removed

  • Anonymous
    February 20, 2019
    Great article, I think this is exactly what we need to prevent our linked server from crashing which it seems to do at least once a day. However in the very last step concerning a SQL Proxy... we currently do not use these. Our Agent isn't even started at this time. Is this something that is necessary? If not what else could we use instead? I posted a whole question concerning this here: https://serverfault.com/questions/954154/sql-server-linked-server-instabilityThanks for the article and your help!