Permissions needed to set up linked server with out-of-process provider

When setting up linked server to third-party Databases, it is recommended to run the third-party provider in out-of-process mode, because when the provider is run in-process (within the same process as SQL Server), then any issues with the provider can affect SQL Server process which could also result in crashing SQL server.

 To how to set a provider to run out-of-process, uncheck "Allow In Process" property of the provider:

 

clip_image002

There are certain permissions that have to be set on MSDAINITIALIZE to be able to initialize the provider out-of-process and run linked server queries successfully locally and remotely.

MSDAINITIALIZE is a COM class that is provided by OLE DB. This class can parse OLE DB connection strings and load/initialize the provider based on property values in the connection string.

MSDAINITILIAZE is initiated by users connected to SQL Server. If windows authentication is used to connect to SQL Server, then the provider is initialized under the logged in user account. If the logged in user is a SQL login, then provider is initialized under SQL Server service account. Based on the type of login used, permissions on MSDAINITIALIZE have to be provided accordingly.

When these permissions are not set for the logged in users, we get Access Denied errors as below:

Msg 7399, Level 16, State 1, Line 1

The OLE DB provider "Microsoft.Jet.OLEDB.4.0" for linked server "(null)" reported

an error. Access denied.

Msg 7301, Level 16, State 2, Line 1

Cannot obtain the required interface ("IID_IDBCreateCommand") from OLE DB provider

"Microsoft.Jet.OLEDB.4.0" for linked server "(null)".

 

Failed to retrieve data for this request. (Microsoft.SqlServer.SmoEnum)

An exception has occurred while executing a Transact-SQL statement or batch.

(Microsoft.SqlServer.ConnectionInfo)

The OLEDB Provider "MSDAORA" for linked server <linked server name> reported an

error. Access denied.

Cannot obtain the required interface ("IID_IDBSchemaRowSet") from OLE DB provider

"MSDAORA" for linked server "<linked server name>". (Microsoft SQL Server, Error: 7399)

 

Msg 7399, Level 16, State 1, Line 1

The OLE DB provider "IBMDADB2.DB2COPY1" for linked server "<linked server name>" reported an error. Access denied.

Msg 7301, Level 16, State 2, Line 1

Cannot obtain the required interface ("IID_IDBCreateCommand") from OLE DB provider "IBMDADB2.DB2COPY1" for linked server "<linked server name>".

 

Server: Msg 7302, Level 16, State 1, Line 1

Could not create an instance of OLE DB provider 'MSDAORA'.

OLE DB error trace [Non-interface error: CoCreate of DSO for MSDAORA returned

0x80070005].

 

0x80070005 - Essentially implies Access denied.

To be able to execute linked server queries, also set RPC OUT to true on the linked server properties.

Permissions needed to set up linked server with out-of-process provider:

Verify below settings in DCOMCNFG:   Start --> Run –> Dcomcnfg

1. Component services -->My Computer ---> Properties verify that below options are set:

 In the 'Default Properties' tab:

- 'Enable Distributed COM on this computer' is checked.

- Default Authentication = Connect.

- Default Impersonation Level = Identify or Impersonate.

2. Component services --> My computer --> DCOM Config --> MSDAINITIALIZE

-Right click on MSDAINITIALIZE --> Properties -->Security

-Add the SQL Server service account (if connected to SQL server using SQL login) or windows user account under "Launch and Activation Permissions", "Access permissions" and "Configuration Permissions".

-Give full rights to these accounts.

-Restart the server

3) Go to dcomcnfg > My computer > Properties > COM Security > Edit Defaults for Access Permissions & Launch and Activation Permissions, and add the SQL Proxy account.

Follow these instructions to be able to edit above DCOM settings on Windows Vista/2008 machine, per

https://blogs.msdn.com/emeadaxsupport/archive/2010/01/26/unable-to-edit-the-dcom-settings-for-iis-wamreg-admin-service-on-a-windows-server-2008-r2-when-trying-to-configure-kerberos-authentication-for-role-centers.aspx

1. Grab the APP ID from the General tab of MSDAINITIALIZE Properties. It should be 2206CDB0-19C1-11D1-89E0-00C04FD7A829

 

clip_image004

 

Using regedit, search for the key in the registry. You should find it at HKEY_CLASSES_ROOT\AppID\{2206CDB0-19C1-11D1-89E0-00C04FD7A829}

Next, follow these instructions to change permissions.

1. Secondary-mouse click on the {2206CDB0-19C1-11D1-89E0-00C04FD7A829} key and select Permissions menu option.

2. Click the Advanced button in the Permissions window and select the Owner tab. Under Change owner to select the local Administrators group and click on Apply/OK and then click Ok again.

3. Then under Permissions window, select the local Administrators group and under Permissions for Administrators select Full Control.

NOTE: DO NOT modify/change any permissions for the TrustedInstaller account.

4. Click on Apply or OK to make the changes effective.

5. Re-run the Computer Services management console (dcomcnfg.exe) and you should now be able to modify the settings for MSDAINITIALIZE package.

6. After making the necessary changes as mentioned above, reset the permissions for the above registry key in the registry settings back to its defaults:

 - First make the account "NT SERVICE\TrustedInstaller" from the local computer the Owner of the key and then remove Full Control access for the Administrators group, and leave it with only Read access.

Author : Aruna(MSFT), SQL Developer Engineer, Microsoft 

Reviewed by : Azim(MSFT), SQL Developer Technical Lead , Microsoft