Permissions needed to set up linked server with out-of-process provider


When setting up linked server to third-party Databases, it is recommended to run the third-party provider in out-of-process mode, because when the provider is run in-process (within the same process as SQL Server), then any issues with the provider can affect SQL Server process which could also result in crashing SQL server.

 To how to set a provider to run out-of-process, uncheck “Allow In Process” property of the provider:

 

clip_image002

There are certain permissions that have to be set on MSDAINITIALIZE to be able to initialize the provider out-of-process and run linked server queries successfully locally and remotely.

MSDAINITIALIZE is a COM class that is provided by OLE DB. This class can parse OLE DB connection strings and load/initialize the provider based on property values in the connection string.

MSDAINITILIAZE is initiated by users connected to SQL Server. If windows authentication is used to connect to SQL Server, then the provider is initialized under the logged in user account. If the logged in user is a SQL login, then provider is initialized under SQL Server service account. Based on the type of login used, permissions on MSDAINITIALIZE have to be provided accordingly.

When these permissions are not set for the logged in users, we get Access Denied errors as below:

Msg 7399, Level 16, State 1, Line 1

The OLE DB provider “Microsoft.Jet.OLEDB.4.0” for linked server “(null)” reported

an error. Access denied.

Msg 7301, Level 16, State 2, Line 1

Cannot obtain the required interface (“IID_IDBCreateCommand”) from OLE DB provider

“Microsoft.Jet.OLEDB.4.0” for linked server “(null)”.

 

Failed to retrieve data for this request. (Microsoft.SqlServer.SmoEnum)

An exception has occurred while executing a Transact-SQL statement or batch.

(Microsoft.SqlServer.ConnectionInfo)

The OLEDB Provider “MSDAORA” for linked server <linked server name> reported an

error. Access denied.

Cannot obtain the required interface (“IID_IDBSchemaRowSet”) from OLE DB provider

“MSDAORA” for linked server “<linked server name>”. (Microsoft SQL Server, Error: 7399)

 

Msg 7399, Level 16, State 1, Line 1

The OLE DB provider “IBMDADB2.DB2COPY1” for linked server “<linked server name>” reported an error. Access denied.

Msg 7301, Level 16, State 2, Line 1

Cannot obtain the required interface (“IID_IDBCreateCommand”) from OLE DB provider “IBMDADB2.DB2COPY1” for linked server “<linked server name>”.

 

Server: Msg 7302, Level 16, State 1, Line 1

Could not create an instance of OLE DB provider ‘MSDAORA’.

OLE DB error trace [Non-interface error: CoCreate of DSO for MSDAORA returned

0x80070005].

 

0x80070005 – Essentially implies Access denied.

To be able to execute linked server queries, also set RPC OUT to true on the linked server properties.

Permissions needed to set up linked server with out-of-process provider:

Verify below settings in DCOMCNFG:   Start –> Run –> Dcomcnfg

1.       Component services –>My Computer —> Properties verify that below options are set:

 In the ‘Default Properties’ tab:

– ‘Enable Distributed COM on this computer’ is checked.

– Default Authentication =  Connect.

– Default Impersonation Level = Identify or Impersonate.

2.       Component services –> My computer –> DCOM Config –> MSDAINITIALIZE

-Right click on MSDAINITIALIZE –> Properties –>Security

-Add the SQL Server service account (if connected to SQL server using SQL login)  or windows user account under “Launch and Activation Permissions”, “Access permissions” and “Configuration Permissions”.

-Give full rights to these accounts.

-Restart the server

3) Go to dcomcnfg > My computer > Properties > COM Security > Edit Defaults for Access Permissions & Launch and Activation Permissions, and add the SQL Proxy account.

Follow these instructions to be able to edit above DCOM settings on Windows Vista/2008 machine, per

http://blogs.msdn.com/emeadaxsupport/archive/2010/01/26/unable-to-edit-the-dcom-settings-for-iis-wamreg-admin-service-on-a-windows-server-2008-r2-when-trying-to-configure-kerberos-authentication-for-role-centers.aspx

1.  Grab the APP ID from the General tab of MSDAINITIALIZE Properties.  It should be 2206CDB0-19C1-11D1-89E0-00C04FD7A829

 

clip_image004

 

Using regedit, search for the key in the registry.  You should find it at HKEY_CLASSES_ROOT\AppID\{2206CDB0-19C1-11D1-89E0-00C04FD7A829}

Next, follow these instructions to change permissions.

1. Secondary-mouse click on the {2206CDB0-19C1-11D1-89E0-00C04FD7A829} key and select Permissions menu option.

2. Click the Advanced button in the Permissions window and select the Owner tab. Under Change owner to select the local Administrators group and click on Apply/OK and then click Ok again.

3. Then under Permissions window, select the local Administrators group and under Permissions for Administrators select Full Control.

NOTE: DO NOT modify/change any permissions for the TrustedInstaller account.

4. Click on Apply or OK to make the changes effective.

5. Re-run the Computer Services management console (dcomcnfg.exe) and you should now be able to modify the settings for MSDAINITIALIZE package.

6. After making the necessary changes as mentioned above, reset the permissions for the above registry key in the registry settings back to its defaults:

  First make the account “NT SERVICE\TrustedInstaller” from the local computer the Owner of the key and then remove Full Control access for the Administrators group, and leave it with only Read access.

Author : Aruna(MSFT), SQL Developer Engineer, Microsoft 

Reviewed by : Azim(MSFT), SQL Developer Technical Lead , Microsoft

Comments (21)

  1. matt P. says:

    Most valuable. This exactly what was my problem.

    Nevertheless, quite a shame on the way this needs to be fixed.

  2. Aruna- MSFT says:

    Hello Matt,

    Thank you for your feedback. Could you expand a little why you are not satified with the resolution?

    Thank you,

    Aruna (MSFT)

  3. Dave K says:

    Thank you so much for this post. I have been struggling for days trying to fix this problem. Your solution worked perfectly 🙂

  4. thierry vd says:

    Of course you work for MS. How would one otherwise figure this out for oneself?

    Great info. Thx

  5. Amon says:

    This was very helpful.  Thanks a lot.

  6. Ralf Wastl says:

    Hallo,

    den Punkt "Component services –> My computer –> DCOM Config –> MSDAINITIALIZE

    " kann ich nicht ausführen, weil in den MSDAINITIALIZE Properties – Tab Security – alles ausgegraut ist.

  7. Debarchan says:

    1.Click Start, type regedit in the Search programs and files box, press Enter, and then click Yes.

    2.Locate the following subkey:

    HKEY_LOCAL_MACHINESOFTWAREClassesAppID{2206CDB0-19C1-11D1-89E0-00C04FD7A829}

    3.Right-click {2206CDB0-19C1-11D1-89E0-00C04FD7A829}, click Permissions, and then click Advanced.

    4.On the Owner tab, under Change owner to, click Administrators, or click the user account that you want, and then click Apply.

    5.On the Permissions tab, grant the Administrators group or the user account Full Control permissions, and then click OK two times.

    6.Exit Registry Editor.

    You should be able to edit MSDAINITIALIZE properties now..

  8. arunako says:

    Ralf Wastl,Entnehmen Sie bitte den Anweisungen unter Schritt 3 in dem Artikel oben.

  9. drc2100@hotmail.com says:

    Thanks, It works.

  10. Greg Wlodarczyk says:

    Our nightly refresh would intermittently fail causing the server to hang. This fixed the issue, thank you!!

    Config: SQL2008,Linked Server to AS400

  11. Boothalingam JS says:

    This was my Error   How to solve it

    OLE DB provider "Microsoft.Jet.OLEDB.4.0" for linked server "(null)" returned message "Unspecified error".

    Msg 7303, Level 16, State 1, Line 2

    Cannot initialize the data source object of OLE DB provider "Microsoft.Jet.OLEDB.4.0" for linked server "(null)".

  12. Korni says:

    In may case it didn't work, I'm using Windows 8 and SQL Server 2012.

    Can you help me please?

  13. Jayaram Krishnaswamy says:

    In the property of MSDAINITIALIZE. Only the General Tab has an entry. All other tabs (rather fields in them) are disabled.

    The work around suggested needs so many tweaks one wondera whether it is worth. By the way the first screen you show is default and so are the dconfig's defaults.

  14. John T says:

    This is truly a great write-up – never once in my experience with data connections have I had to mess with MSDAINITIALIZE, so it's great to find a clear online resource which solves the issue.

    I should note that Step 2 was unnecessary (as I discovered when the options were completely disabled).  Skipping that and proceeding to implement Step 3 was sufficient to enable remote OLE DB connectivity.

  15. fregatepallada says:

    Unfortunately it did not work for me – 32-bit version of SQL Server 2014. It is amazing that vendor managed to break a standard functionality that worked for ages out of the box! I forced to abandon reading Excel files and read CSV one!

  16. Christian Schlegel says:

    Thank you very much! Solved my problem with accessing a linked oracle db.

  17. AWEInCA says:

    Regarding this paragraph:

    "MSDAINITILIAZE is initiated by users connected to SQL Server. If windows authentication is used to connect to SQL Server, then the provider is initialized under the logged in user account. If the logged in user is a SQL login, then provider is initialized under SQL Server service account. Based on the type of login used, permissions on MSDAINITIALIZE have to be provided accordingly."

    I'm logged in to SSMS as myself (local administrator on the machine)

    I right click my linked server to test and the test connection is successful.

    This is as expected from the paragraph above.

    However

    When I run a job that uses the linked server in a stored procedure, I get the error as described in this article.

    The SQL Agent Service account is not a local admin.

    It would seem even though I started the job, the COM component is being initialized using the SQL Agent account? Does this seem correct even though I started the job?

    Thanks in advance

  18. Ahmad says:

    Thank you man. You saved my life 😀

  19. Daniel Aya says:

    run sql sserver managment studio as administrator worked for me

  20. Call says:

    Hi,
    I am having the same issue and i am currently running SSM 2014 on a window 8.1 with 32 bit odbc. I tried to use those steps but querying data from ServiceNow is not working. All test connection works successfully but upon trying to query i get the following error.

    Msg 7399, Level 16, State 1, Line 1
    The OLE DB provider “MSDASQL” for linked server “SERVICENOW” reported an error. Access denied.
    Msg 7350, Level 16, State 2, Line 1
    Cannot get the column information from OLE DB provider “MSDASQL” for linked server “SERVICENOW”.

    Any help please!

    1. Mihir Patel says:

      I get the same error even after applying all changes as indicated.
      Msg 7399, Level 16, State 1, Line 2
      The OLE DB provider “mrOleDB.Provider.2” for linked server “(null)” reported an error. Access denied.
      Msg 7301, Level 16, State 2, Line 2
      Cannot obtain the required interface (“IID_IDBCreateCommand”) from OLE DB provider “mrOleDB.Provider.2” for linked server “(null)”.