Data Access Technologies

(Data Access, XML, SSIS, LINQ, System.Data ...)

Permissions needed to set up linked server with out-of-process provider

Permissions needed to set up linked server with out-of-process provider

  • Comments 13

When setting up linked server to third-party Databases, it is recommended to run the third-party provider in out-of-process mode, because when the provider is run in-process (within the same process as SQL Server), then any issues with the provider can affect SQL Server process which could also result in crashing SQL server.

 To how to set a provider to run out-of-process, uncheck "Allow In Process" property of the provider:

 

clip_image002

There are certain permissions that have to be set on MSDAINITIALIZE to be able to initialize the provider out-of-process and run linked server queries successfully locally and remotely.

MSDAINITIALIZE is a COM class that is provided by OLE DB. This class can parse OLE DB connection strings and load/initialize the provider based on property values in the connection string.

MSDAINITILIAZE is initiated by users connected to SQL Server. If windows authentication is used to connect to SQL Server, then the provider is initialized under the logged in user account. If the logged in user is a SQL login, then provider is initialized under SQL Server service account. Based on the type of login used, permissions on MSDAINITIALIZE have to be provided accordingly.

When these permissions are not set for the logged in users, we get Access Denied errors as below:

Msg 7399, Level 16, State 1, Line 1

The OLE DB provider "Microsoft.Jet.OLEDB.4.0" for linked server "(null)" reported

an error. Access denied.

Msg 7301, Level 16, State 2, Line 1

Cannot obtain the required interface ("IID_IDBCreateCommand") from OLE DB provider

"Microsoft.Jet.OLEDB.4.0" for linked server "(null)".

 

Failed to retrieve data for this request. (Microsoft.SqlServer.SmoEnum)

An exception has occurred while executing a Transact-SQL statement or batch.

(Microsoft.SqlServer.ConnectionInfo)

The OLEDB Provider "MSDAORA" for linked server <linked server name> reported an

error. Access denied.

Cannot obtain the required interface ("IID_IDBSchemaRowSet") from OLE DB provider

"MSDAORA" for linked server "<linked server name>". (Microsoft SQL Server, Error: 7399)

 

Msg 7399, Level 16, State 1, Line 1

The OLE DB provider "IBMDADB2.DB2COPY1" for linked server "<linked server name>" reported an error. Access denied.

Msg 7301, Level 16, State 2, Line 1

Cannot obtain the required interface ("IID_IDBCreateCommand") from OLE DB provider "IBMDADB2.DB2COPY1" for linked server "<linked server name>".

 

Server: Msg 7302, Level 16, State 1, Line 1

Could not create an instance of OLE DB provider 'MSDAORA'.

OLE DB error trace [Non-interface error: CoCreate of DSO for MSDAORA returned

0x80070005].

 

0x80070005 - Essentially implies Access denied.

To be able to execute linked server queries, also set RPC OUT to true on the linked server properties.

Permissions needed to set up linked server with out-of-process provider:

Verify below settings in DCOMCNFG:   Start --> Run –> Dcomcnfg

1.       Component services -->My Computer ---> Properties verify that below options are set:

 In the 'Default Properties' tab:

- 'Enable Distributed COM on this computer' is checked.

- Default Authentication =  Connect.

- Default Impersonation Level = Identify or Impersonate.

2.       Component services --> My computer --> DCOM Config --> MSDAINITIALIZE

-Right click on MSDAINITIALIZE --> Properties -->Security

-Add the SQL Server service account (if connected to SQL server using SQL login)  or windows user account under "Launch and Activation Permissions", "Access permissions" and "Configuration Permissions".

-Give full rights to these accounts.

-Restart the server

3) Go to dcomcnfg > My computer > Properties > COM Security > Edit Defaults for Access Permissions & Launch and Activation Permissions, and add the SQL Proxy account.

Follow these instructions to be able to edit above DCOM settings on Windows Vista/2008 machine, per

http://blogs.msdn.com/emeadaxsupport/archive/2010/01/26/unable-to-edit-the-dcom-settings-for-iis-wamreg-admin-service-on-a-windows-server-2008-r2-when-trying-to-configure-kerberos-authentication-for-role-centers.aspx

1.  Grab the APP ID from the General tab of MSDAINITIALIZE Properties.  It should be 2206CDB0-19C1-11D1-89E0-00C04FD7A829

 

clip_image004

 

Using regedit, search for the key in the registry.  You should find it at HKEY_CLASSES_ROOT\AppID\{2206CDB0-19C1-11D1-89E0-00C04FD7A829}

Next, follow these instructions to change permissions.

1. Secondary-mouse click on the {2206CDB0-19C1-11D1-89E0-00C04FD7A829} key and select Permissions menu option.

2. Click the Advanced button in the Permissions window and select the Owner tab. Under Change owner to select the local Administrators group and click on Apply/OK and then click Ok again.

3. Then under Permissions window, select the local Administrators group and under Permissions for Administrators select Full Control.

NOTE: DO NOT modify/change any permissions for the TrustedInstaller account.

4. Click on Apply or OK to make the changes effective.

5. Re-run the Computer Services management console (dcomcnfg.exe) and you should now be able to modify the settings for MSDAINITIALIZE package.

6. After making the necessary changes as mentioned above, reset the permissions for the above registry key in the registry settings back to its defaults:

 -  First make the account "NT SERVICE\TrustedInstaller" from the local computer the Owner of the key and then remove Full Control access for the Administrators group, and leave it with only Read access.

Author : Aruna(MSFT), SQL Developer Engineer, Microsoft 

Reviewed by : Azim(MSFT), SQL Developer Technical Lead , Microsoft

Leave a Comment
  • Please add 1 and 4 and type the answer here:
  • Post
  • Most valuable. This exactly what was my problem.

    Nevertheless, quite a shame on the way this needs to be fixed.

  • Hello Matt,

    Thank you for your feedback. Could you expand a little why you are not satified with the resolution?

    Thank you,

    Aruna (MSFT)

  • Thank you so much for this post. I have been struggling for days trying to fix this problem. Your solution worked perfectly :)

  • Of course you work for MS. How would one otherwise figure this out for oneself?

    Great info. Thx

  • This was very helpful.  Thanks a lot.

  • Hallo,

    den Punkt "Component services --> My computer --> DCOM Config --> MSDAINITIALIZE

    " kann ich nicht ausführen, weil in den MSDAINITIALIZE Properties - Tab Security - alles ausgegraut ist.

  • 1.Click Start, type regedit in the Search programs and files box, press Enter, and then click Yes.

    2.Locate the following subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2206CDB0-19C1-11D1-89E0-00C04FD7A829}

    3.Right-click {2206CDB0-19C1-11D1-89E0-00C04FD7A829}, click Permissions, and then click Advanced.

    4.On the Owner tab, under Change owner to, click Administrators, or click the user account that you want, and then click Apply.

    5.On the Permissions tab, grant the Administrators group or the user account Full Control permissions, and then click OK two times.

    6.Exit Registry Editor.

    You should be able to edit MSDAINITIALIZE properties now..

  • Ralf Wastl,Entnehmen Sie bitte den Anweisungen unter Schritt 3 in dem Artikel oben.

  • Thanks, It works.

  • Our nightly refresh would intermittently fail causing the server to hang. This fixed the issue, thank you!!

    Config: SQL2008,Linked Server to AS400

  • This was my Error   How to solve it

    OLE DB provider "Microsoft.Jet.OLEDB.4.0" for linked server "(null)" returned message "Unspecified error".

    Msg 7303, Level 16, State 1, Line 2

    Cannot initialize the data source object of OLE DB provider "Microsoft.Jet.OLEDB.4.0" for linked server "(null)".

  • In may case it didn't work, I'm using Windows 8 and SQL Server 2012.

    Can you help me please?

  • In the property of MSDAINITIALIZE. Only the General Tab has an entry. All other tabs (rather fields in them) are disabled.

    The work around suggested needs so many tweaks one wondera whether it is worth. By the way the first screen you show is default and so are the dconfig's defaults.

Page 1 of 1 (13 items)