Permissions needed to set up linked server with out-of-process provider
When setting up linked server to third-party Databases, it is recommended to run the third-party provider in out-of-process mode, because when the provider is run in-process (within the same process as SQL Server), then any issues with the provider can affect SQL Server process which could also result in crashing SQL server.
To how to set a provider to run out-of-process, uncheck "Allow In Process" property of the provider:
There are certain permissions that have to be set on MSDAINITIALIZE to be able to initialize the provider out-of-process and run linked server queries successfully locally and remotely.
MSDAINITIALIZE is a COM class that is provided by OLE DB. This class can parse OLE DB connection strings and load/initialize the provider based on property values in the connection string.
MSDAINITILIAZE is initiated by users connected to SQL Server. If windows authentication is used to connect to SQL Server, then the provider is initialized under the logged in user account. If the logged in user is a SQL login, then provider is initialized under SQL Server service account. Based on the type of login used, permissions on MSDAINITIALIZE have to be provided accordingly.
When these permissions are not set for the logged in users, we get Access Denied errors as below:
Msg 7399, Level 16, State 1, Line 1
The OLE DB provider "Microsoft.Jet.OLEDB.4.0" for linked server "(null)" reported
an error. Access denied.
Msg 7301, Level 16, State 2, Line 1
Cannot obtain the required interface ("IID_IDBCreateCommand") from OLE DB provider
"Microsoft.Jet.OLEDB.4.0" for linked server "(null)".
Failed to retrieve data for this request. (Microsoft.SqlServer.SmoEnum)
An exception has occurred while executing a Transact-SQL statement or batch.
(Microsoft.SqlServer.ConnectionInfo)
The OLEDB Provider "MSDAORA" for linked server <linked server name> reported an
error. Access denied.
Cannot obtain the required interface ("IID_IDBSchemaRowSet") from OLE DB provider
"MSDAORA" for linked server "<linked server name>". (Microsoft SQL Server, Error: 7399)
Msg 7399, Level 16, State 1, Line 1
The OLE DB provider "IBMDADB2.DB2COPY1" for linked server "<linked server name>" reported an error. Access denied.
Msg 7301, Level 16, State 2, Line 1
Cannot obtain the required interface ("IID_IDBCreateCommand") from OLE DB provider "IBMDADB2.DB2COPY1" for linked server "<linked server name>".
Server: Msg 7302, Level 16, State 1, Line 1
Could not create an instance of OLE DB provider 'MSDAORA'.
OLE DB error trace [Non-interface error: CoCreate of DSO for MSDAORA returned
0x80070005].
0x80070005 - Essentially implies Access denied.
To be able to execute linked server queries, also set RPC OUT to true on the linked server properties.
Permissions needed to set up linked server with out-of-process provider:
Verify below settings in DCOMCNFG: Start --> Run –> Dcomcnfg
1. Component services -->My Computer ---> Properties verify that below options are set:
In the 'Default Properties' tab:
- 'Enable Distributed COM on this computer' is checked.
- Default Authentication = Connect.
- Default Impersonation Level = Identify or Impersonate.
2. Component services --> My computer --> DCOM Config --> MSDAINITIALIZE
-Right click on MSDAINITIALIZE --> Properties -->Security
-Add the SQL Server service account (if connected to SQL server using SQL login) or windows user account under "Launch and Activation Permissions", "Access permissions" and "Configuration Permissions".
-Give full rights to these accounts.
-Restart the server
3) Go to dcomcnfg > My computer > Properties > COM Security > Edit Defaults for Access Permissions & Launch and Activation Permissions, and add the SQL Proxy account.
Follow these instructions to be able to edit above DCOM settings on Windows Vista/2008 machine, per
1. Grab the APP ID from the General tab of MSDAINITIALIZE Properties. It should be 2206CDB0-19C1-11D1-89E0-00C04FD7A829
Using regedit, search for the key in the registry. You should find it at HKEY_CLASSES_ROOT\AppID\{2206CDB0-19C1-11D1-89E0-00C04FD7A829}
Next, follow these instructions to change permissions.
1. Secondary-mouse click on the {2206CDB0-19C1-11D1-89E0-00C04FD7A829} key and select Permissions menu option.
2. Click the Advanced button in the Permissions window and select the Owner tab. Under Change owner to select the local Administrators group and click on Apply/OK and then click Ok again.
3. Then under Permissions window, select the local Administrators group and under Permissions for Administrators select Full Control.
NOTE: DO NOT modify/change any permissions for the TrustedInstaller account.
4. Click on Apply or OK to make the changes effective.
5. Re-run the Computer Services management console (dcomcnfg.exe) and you should now be able to modify the settings for MSDAINITIALIZE package.
6. After making the necessary changes as mentioned above, reset the permissions for the above registry key in the registry settings back to its defaults:
- First make the account "NT SERVICE\TrustedInstaller" from the local computer the Owner of the key and then remove Full Control access for the Administrators group, and leave it with only Read access.
Author : Aruna(MSFT), SQL Developer Engineer, Microsoft
Reviewed by : Azim(MSFT), SQL Developer Technical Lead , Microsoft
Comments
Anonymous
January 13, 2011
Most valuable. This exactly what was my problem. Nevertheless, quite a shame on the way this needs to be fixed.Anonymous
February 24, 2011
Hello Matt, Thank you for your feedback. Could you expand a little why you are not satified with the resolution? Thank you, Aruna (MSFT)Anonymous
March 14, 2011
Thank you so much for this post. I have been struggling for days trying to fix this problem. Your solution worked perfectly :)Anonymous
December 07, 2011
Of course you work for MS. How would one otherwise figure this out for oneself? Great info. ThxAnonymous
June 08, 2012
This was very helpful. Thanks a lot.Anonymous
June 12, 2012
Hallo, den Punkt "Component services --> My computer --> DCOM Config --> MSDAINITIALIZE " kann ich nicht ausführen, weil in den MSDAINITIALIZE Properties - Tab Security - alles ausgegraut ist.Anonymous
June 12, 2012
The comment has been removedAnonymous
September 13, 2012
Ralf Wastl,Entnehmen Sie bitte den Anweisungen unter Schritt 3 in dem Artikel oben.Anonymous
October 09, 2013
Thanks, It works.Anonymous
November 10, 2013
Our nightly refresh would intermittently fail causing the server to hang. This fixed the issue, thank you!! Config: SQL2008,Linked Server to AS400Anonymous
December 02, 2013
The comment has been removedAnonymous
June 04, 2014
In may case it didn't work, I'm using Windows 8 and SQL Server 2012. Can you help me please?Anonymous
July 05, 2014
In the property of MSDAINITIALIZE. Only the General Tab has an entry. All other tabs (rather fields in them) are disabled. The work around suggested needs so many tweaks one wondera whether it is worth. By the way the first screen you show is default and so are the dconfig's defaults.Anonymous
October 29, 2014
This is truly a great write-up - never once in my experience with data connections have I had to mess with MSDAINITIALIZE, so it's great to find a clear online resource which solves the issue. I should note that Step 2 was unnecessary (as I discovered when the options were completely disabled). Skipping that and proceeding to implement Step 3 was sufficient to enable remote OLE DB connectivity.Anonymous
January 13, 2015
The comment has been removedAnonymous
March 15, 2015
Thank you very much! Solved my problem with accessing a linked oracle db.Anonymous
June 01, 2015
The comment has been removedAnonymous
June 13, 2015
Thank you man. You saved my life :DAnonymous
December 21, 2015
run sql sserver managment studio as administrator worked for meAnonymous
May 26, 2016
The comment has been removed- Anonymous
June 15, 2016
The comment has been removed - Anonymous
March 28, 2017
¿ Did you Fix the Error ?
- Anonymous
Anonymous
July 19, 2016
Thanks a lot. It works!!Anonymous
November 14, 2016
I tried to change the security of MSDAINITIALIZE, I setup the "Dynamic Parameter" and "Allow inprocess" in the provider-properties, though I always become the error-message 7399 - object cannot be initialized.The command is: "exec sp_addlinkedserver @server='REPORTABSENCE1', @srvproduct='Excel', @provider='Microsoft.ACE.OLEDB.12.0', @datasrc=local_path\file_name.xlsx', @provstr='Excel 12.0;HEADER=No'"I spent hours to solve this issue. There is no problem with xls-files, but for xlsx I get this error-message each time.Anonymous
January 27, 2017
What do you mean by SQL Proxy account in this context?Anonymous
March 23, 2017
The comment has been removedAnonymous
February 20, 2019
Great article, I think this is exactly what we need to prevent our linked server from crashing which it seems to do at least once a day. However in the very last step concerning a SQL Proxy... we currently do not use these. Our Agent isn't even started at this time. Is this something that is necessary? If not what else could we use instead? I posted a whole question concerning this here: https://serverfault.com/questions/954154/sql-server-linked-server-instabilityThanks for the article and your help!