Error While Deploying SSIS 2012 project from SSDT to SSIS Catalog : System.ComponentModel.Win32Exception: A required privilege is not held by the client

A .NET Framework error occurred during execution of user-defined routine or aggregate "deploy_project_internal": System.ComponentModel.Win32Exception: A required privilege is not held by the client.

I ran across this issue in one of my newly set up Sql 2012 Servers when I tried to deploy a project to the SSIS Catalog using the Project Deployment Model. I set Sql 2012 up in 3-4 of my servers and never encountered this before. I was using my same domain account across all the Servers. I tried to grab a profiler but could not find any calls to the system stored procedures used for deployment, so my guess was the call is not even reaching to Sql.

After spending a few hours, I was actually able to get past the problem even though I’m not sure if I found out the exact cause! In this case, I’m pretty sure that SSIS is doing a CreateProcessAsUser() using my account credentials, and the SQL/Agent service account is not involved. The SSIS Catalog only accepts Windows Auth (because it does account impersonation during deployment, validation and execution).

Since the deployment process is making call to an executable residing in the file system (outside of Sql), I suspected that the Sql Server Service Account would come into question. I changed the Sql Server Service Account from built in default “Nt Service\MSSQLSERVER” (New account introduced in Denali) to another account with admin rights on the system and VOILA!! it started working.

This seems to be an issue specific to the Sql Service account permissions; however I could not reproduce the problem in my other machines though my service runs as “Nt Service\MSSQLSERVER”. I believe it has something to do with the group policy. SSIS is launching the external process to do the deployment (ISServerExec) in much the same way that SQL Agent runs its jobs. In similar SQL Agent cases, it looked like service account requires the “Act as part of the operating system” account policy.


Author : Debarchan(MSFT) SQL Developer Engineer, Microsoft

Reviewed by : Snehadeep(MSFT), SQL Developer Technical Lead , Microsoft

Comments (18)

  1. Max says:

    I havent restarted the SQL service after changing the settings and this didnt resolve my issue… Do I need to restart the service too ? Please be clear. Thanks !

  2. Krishnakumar Rukmangathan [Microsoft] says:

    Please specify the changes performed by you.

    Did you try changing the SQL Server service account to run under any local admin account. Any changes to the service account will automatically request for the service restart.

    or if you talking about “Act as part of the operating system” account policy, then this change wouldn't require any restart of the service.

    Please let us know about the changes performed by you.

  3. Max says:

    About this change :

    — talking about “Act as part of the operating system” account policy, then this change wouldn't require any restart of the service.

    It definitely needed a machine reboot ! and it fixed my issue.

    I went back and did my own research work and learnt that Act as a part of the operating system doesn't get initialized unless the OS is rebooted [as per Mark Russ ( Windows Guru )].

    Please make the necessary change to your article , so that it will help others like me ( and they don't end up wasting their time ).

  4. Max,

    Thanks, will update the article accordingly.

  5. says:

    Any updates on what causes this? And if there is a hotifx available? I might be able to fix the problem, but it might return at any moment as well…  Thanks in advance!

  6. says:

    Also, these rights/policy changes didn't work for me. I had to repair my SQL Server install and then it worked again.

  7. says:

    …and then it stopped working again. Have done the repair again and that fixed it, but I'm afraid the problem will re-appear after the next reboot :-/

  8. Jorg,

    This seems to be lingering. Is there a way you could open a support request with Microsoft PSS to investigate this further?

  9. jhowe says:

    i'm also having this problem.  I cannot deploy to a SSDT 2012 project to my dev server, i can confirm ports are open and i can connect to ssis through ssms.  This is a pretty major issue and could be affecting a lot of people.  Can it please be raised as a high priority…

  10. jhowe says:

    TITLE: SQL Server Integration Services


    A .NET Framework error occurred during execution of user-defined routine or aggregate "deploy_project_internal":

    System.ComponentModel.Win32Exception: A required privilege is not held by the client


      at Microsoft.SqlServer.IntegrationServices.Server.ISServerProcess.StartProcess(Boolean bSuspendThread)

      at Microsoft.SqlServer.IntegrationServices.Server.ServerApi.DeployProjectInternal(SqlInt64 deployId, SqlInt64 versionId, SqlInt64 projectId, SqlString projectName)

    . (Microsoft SQL Server, Error: 6522)

    For help, click:





  11. Krishnakumar Rukmangathan [Microsoft] says:

    Happen to resolve this issue with one of my customers after following the below steps.

    -> Note down your SQL Server Service account & SQL Agent Service account.

    -> Go to Start-> Run-> secpol.msc-> Local Policies->User Rights Assignment

      check if these 2 accounts are a part of the following policies.

          -> Log on as a service

          -> Act as part of OS

          -> Adjust memory quotas

          -> Logon as batch job

          -> Replace a process level token

    -> If not, add them explicitly.

    -> Reboot the machine.

    Be sure that the domain level group policy settings aren't overriding these settings. [Note: Any deny permissions will have precedence over grant permissions]

  12. Derek says:

    Realy suffered by this issue. What is solution to fix this one?

  13. Stefan says:

    Hi, the missing permission is the following: Replace a process-level token (SeAssignPrimaryTokenPrivilege).

    Apply this right to the SQL-Engine-Account and restart the Engine. Then the deployment should work again. See:…/fixing-sql-2012-ssis-deployment-error-6522-a-required-privilege-is-not-held-by-the-client

  14. ArthurZ says:

    Based on my observation, this happens when the SQL Server is set to run under the built in network account, but the Agent under a Windows account. So the security handshake does not occur (no delegation). Thus the remedy is in having the both services run under the same account.

    1. GF the DBA says:

      Guys, I was having the same issue whereas I could not deploy to my new setup Sql Server 2012 servers. Attempting to deploy to the SSIS catalog it would fail with A .net framework error occurred during execution of user-defined routine or aggregate “deploy_project_internal”. I read all the articles that pertained to the error and nothing worked. I ran a Sql repair, I had the GPO updated and neither worked. I noticed the server had .net 4.0 installed. I had that version upgraded to .net 4.5.2 with a server reboot and it worked immediately. Hope this helps.

  15. Joe says:

    This wouldn’t happen to have anything to do with the ‘Allow logon locally’ user rights in Group policy? Like SSRS, SSRS not able to use a runas account unless it has the allow logon locally rights.

Skip to main content