blogs.conchango.com

welcome to the conchango blogging site
Welcome to blogs.conchango.com Sign in | Join | Help
in Search
Blogs

SSIS Junkie

SSIS: Problems executing out-of-process

Hi,

I've been suffering some infuriating teething troubles with SSIS today and thought it would make sense to write about them in case a) someone else runs into the same problems and more importantly b) I run into them again(!!!)

In short, we have a package which calls a bunch of other packages using the Execute Package Task. Up until recently we were executing everything in-process (ExecuteOutOfProcess=FALSE) but because of a bunch of other problems we've been having (more on that in a future blog post) we have had to change to execute child packages out of process. This worked fine in our dev and systest environments but failed when we pushed it to production. The error that we received was created when we tried to call the child package but the error from within SSIS was fairly useless:

Error 0x80070005 while loading package file "Package.dtsx". Access is denied.

because we knew that the required permissions were in place on the folder housing the packages. However, we did have more joy when we looked at the event log:

Source: DCOM 

Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {1838B317-D927-4ED4-8B5C-A0A52D6F6CBE} to the user CT\sysminerva-etl SID (S-1-5-21-2052111302-854245398-1177238915-963642). This security permission can be modified using the Component Services administrative tool.

Searching the registry for that CLSID came up with:

 

The class Microsoft.SqlServer.Dts.Runtime.Wrapper.PackageRemoteClass seemed synonymous with executing a package out of process so we knew we were onto something. We compared our production server to our dev and systest servers and the only difference we found was that the account that executes our packages was not in the Administrators group. Optimistically we added the account to the Administrators group and reran. The same problem ocurred however and we were back to feeling glum.

Then our server guy had a brainwave. He said that the change we'd made might not have propogated to the required permissions on the COM server application and the only way to ensure that it did was a good old reboot. After the reboot we reran and everything worked successfully! Phew!

That's all. If you experience the same problem hopefully this will help.

-Jamie

 

 

Published 04 September 2007 23:26 by jamie.thomson

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

 

James Dawson's Blog said:

This post started out as a comment on one of Jamie's recent posts , however, I realised that the

September 7, 2007 00:27
 

james.dawson said:

Hi Jamie,

I'm not familiar with the specific COM component you mention, but this type of issue can typically be resolved in a more secure manner by granting the relevant account the required rights (in this case 'Local Activation') via 'Component Services'.

I've posted a more detailed description here: http://blogs.conchango.com/jamesdawson/archive/2007/09/06/Configuring-DCOM-Security.aspx

September 7, 2007 00:29
 

P R W said:

Jamie,

By the Service account that runs the packages do you mean, the Service account that runs SQL Agent Service.

If so this should not be a member of the local Administrators group as this goes against the 2005 Security setup and principle of least privilege.

September 18, 2007 09:31
 

jamie.thomson said:

PRW,

No, we use a proxy account to run our packages. "Service account" was the wrong nomenclature - sorry about that. I have changed the post accordingly!

-Jamie

September 18, 2007 15:42
 

Ron Klimaszewski said:

Configuring the proxy account to have Administrator rights does not keep with a least-privilege security model.  You could have simply granted the proxy account Activate/Access permissions to the MsDtsServer Component as mentioned by james.dawson  Note that service packs and cumulative updates will overwrite this DCOM setting.

When executing an SSIS package from a SQL Agent job as a proxy on a cluster, and the proxy does not belong to the local administrators group, you have to do the following:

- grant Administrator rights to the cluster service (KB316881)

- subinacl /service MSDTC /grant="authenticated users"="F"

- sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;MU)(A;;CCLCRPRC;;;LU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

The section "A;;CCLCRPRC;;;AU", is the portion that changes the default DACLS on the SC Manager object.

Without doing the above, you will get access is denied or not running error messages on MSDTS.

September 19, 2007 15:40
 

Miron said:

granted to proxy account DCOM permissions for DTS Package Host component.

Out of process packages worked free of issues, ran under proxy account.

January 17, 2008 00:26
 

Beth said:

I solved this problem by using the Component Services manager to give the account running the package with the packages running out of process execute permissions for DTS Package Host  I gave that account Launch and Activate remote and local and access permissions.  Now it runs to completion.  Here's how you get there:

Start>Programs>Administrative Tools>Component Services

Open the Computers>My Computer>DCOM Config and find the DTS Package Host

Right click on the DTS Package Host, select Properties, Security

Select Customize for Launch and Activiation Permissions and for Access Permissions

Add the account you are using to run the SSIS package and give it Local and Remote Activiation and Local and Remote Access

I tried putting  the local account in the SqlServer2005DTSUsers group but that did not grant the permissions (however I did not do a reboot).

May 13, 2008 23:01

Leave a Comment

(required) 
(optional)
(required) 
Submit

This Blog

Syndication

News
© 2008 - Any comments or statements made herein do not necessarily reflect those of Conchango.
Powered by Community Server (Personal Edition), by Telligent Systems