Setting up a Proxy Account to run SQL Server Integration Services (SSIS) 2012 packages
Below are the steps that we had to do in order for us to create and setup a Proxy Account to run our SSIS Project. As well as allowing the domain user to have access to the job so that they could create and edit the job which ran the SSIS Project.
NOTE: When setting up all the SQL Settings below you need to have DBA Access
NOTE: This is all completed on SQL Server 2012
Creating a Login for the user that is going to be used as the Credential and Proxy Account
The first thing that you need to do is to put the Domain account you are going to use, as a login on your SQL Server system.
This is so that they will be able to log into the SQL Server System.
1. In SQL Server Management Studio (SSMS), click on Security, then Logins.
2. Right click and select New Login
a. 
3. Then in your Login – new Window where it says Login name put in your Domain Account you are going to use
a. As with our example our Domain Account is the following
i. DOMAIN\UserName
4. 
5. Next click on the User Mapping and allow this user to have the permissions required when it runs the SSIS Package.
a. NOTE: If you are using the dbo schema, you would give the user db_owner role for your database.
b. Otherwise when your SSIS Project runs it could potentially fail when trying to read a stored procedure or insert data into a table.
c. 
d. Then click on MSDB because your user will also require access to be able to see, create and start and stop SQL Server Agent Jobs.
i. Under the Roles for our example we selected the following:
1. 
ii. NOTE: I am not a SQL Server security expert so there might be another way to allow a user access to the SQL Server Agent.
e. Then click Ok
6. If required you can now try and log into the SQL Server with your domain account.
a. And then also see if you can access the database you granted access to.
b. As with our example it was the AdventureWorks2012 database
c. You should also be able to see the SQL Server Agent.
Creating the Credentials
The next step is to create the credentials which will be then used in the Proxy Account
1. In SSMS, click on Security and then right click on Credentials, click on New Credential
a. 
2. For the Credential name put in a name for your credential, I suggest using the same name as the domain name.
3. Click on Identity, which will open the Select User or Group
a. NOTE: The reason for this is so that you can ensure you select the correct user or Group
b. NOTE 2: Ideally you are going to have a domain account, where the password does not change.
4. Then you will need to put in the password for your Domain account you selected.
a. 
b. Then click Ok to create your new Credential
Creating the Proxy Account
Now the next step is where you create a proxy to be used within SQL Server Agent.
1. In SSMS, click on SQL Server Agent, and then Proxies.
2. Right click and select new Proxy
a. 
3. Now give your Proxy a meaningful name.
a. In our example I will give it the name of Proxy_Domain_UserName
4. Then under Credential Name select the credential you created in the steps above.
a. As per our Example it was the following:
b. DOMAIN\UserName
5. Then finally it must be active on the following subsystems.
a. From the list below select SQL Server Integration Services Package
b. NOTE: We select this because we want it to run our SSIS Packages.
6. 
7. Now click on Principals and add your SQL Login to the Principals
a. As with our Example you can select it from the Add Principal Window.
8. Then click Ok.
9. You will now see your Proxy under the SSIS Package Execution
a. 
Giving the domain account SSIS access in order to run
The next step is that your domain user needs to be able to read and write data into the SSISDB when running the job. If this is not enabled then when the job runs it will fail.
1. In SSMS go to your SSISDB, then click on Security, Roles, Database Roles and then double click on ssis_admin role.
a. 
b. NOTE: You will only see this role under the SSISDB
2. Now when this opens the Database Role Properties – ssis_admin, where it says Members of this role, below this click on Add…
a. Now select your domain account you created above.
b. As per our example it would be:
i. DOMAIN\UserName
c. Then click Ok.
d. You should now see Member under the Members of this Role
3. Then click Ok.
Creating the Job with your Proxy Account
Now the final step is to create your new job, where you use your SSIS Package and then use the Proxy Account to run the job.
NOTE: Create this job using your domain account (DOMAIN\UserName).
· This is to ensure that you have all the correct permissions in place.
1. In SSMS go to your SQL Server Agent, right click on Jobs and select New Job
a. 
2. Now under the New Job window give your Job a name.
a. As with our Example we gave it the name of SSIS Proxy Data Load
b. 
c. You will see under Owner it will be greyed out and have your logged in domain account details (DOMAIN\Username)
3. Click on Steps in the left hand side.
a. Then click on New at the bottom to create a new step.
b. This will open the New Job Step Window
c. In here put in your Step name.
i. With our example we put in the following:
1. Load SSIS Parent – Data Load
ii. Click on type and from the drop down select SQL Server Integration Services Package.
iii. NOTE: If you do not select SQL Server Integration Services Package, in the next box below you will not have any options.
1. This is because we created or Proxy earlier that ONLY has access to SSIS
iv. Then click on the drop down for Run as:
1. Now here you will be able to select your Proxy Account you created earlier.
2. As with our example we selected Proxy_Domain_UserName
v. Now under Package ensure that you have your SSIS Catalog selected.
1. Then put in your SSIS SQL Server Name and if required Instance Name
2. Then click on the ellipses under Package and select your SSIS Package that you want to run.
d. Then click Ok
e. 
4. Now click on Schedules and create your required schedule for your job.
5. Once it is complete you should now see your job under the Jobs on SQL Server Agent
a. 
The final step now is to run your job as per the schedule or manually and see if it succeeds.
NOTE: It should work correctly, but if it does not then please let me know, so that I can check if I have missed any steps.
Thanks G, this helped a lot, never too old to learn
Wanted to say, your documentation is as sharp as ever, don’t think I have ever met a guy with better documentation
Thanks i always try to ensure that anyone can follow the steps.
Hello Gilbert I want to setup ssisdb in sql server 2008 r2 server can you help me in that as I am unable to find the Integration services catalog in 2008 r2 server
Hi there
The structure changed quite a lot from SQL Server 2008R2 to SQL Server 2012. In SQL Server 2008 there was no Integration Services Catalog that stored the details.
So you can follow all the steps until you get to the section where you have to give the domain account access to the SSISDB. For SQL Server 2008, you will then go into the MSDB database and then click under Security, then Roles and under Roles you will see db_ssisadmin, db_ssisltduser, db_ssisoperator. You can then add your domain account to db_ssisoperator.
You can view this link to view the different operators:
I hope that this helps.
Thanks
Gilbert
I’m glad to see a writer cover this topic as carefully and expertly as you have.
Hi there, many thanks for the great feedback. I do hope that this to help resolve your issue.
This is very sharp, helped me a lot with copying databases as SSIS package must be used. Thanx!
Hi there
Thanks a lot I am glad that it helped out and got you working.
Regards
Gilbert
This is great presentation..Anyone can easily succeed this task if they follow this step by step procedure..Especially newbies will get good picture on this topic..Well Done, Keep Going Gilbert
Hi there
Thanks a lot for that, glad it helped out.
These were great instructions! I do think a step was missed, though. You cannot add the domain account the the ssis_admin role in SSISDB (in “Giving the domain account SSIS access in order to run”) unless the account is a user of the SSISDB. That step was missed,if i am not mistaken
Hi there
Great thanks for the possible step that I have left out. I will have a look when I get some extra time to see if that is indeed the case.
Hi Gilbert,
I had followed all ur steps till Creating the Proxy Account.
Then after that while Giving the domain account SSIS access in order to run
My UserName is not showing in the List of SSIS_admin.
Pease help me on this..
Hi there
I would suggest if you go into the SSIS_DB Database, then click on Security, then expand Roles.
Under Roles you should see SSIS_Admin.
Right click under SSIS_Admin and then select your domain User and add them there.
Hopefully that will resolve your issue?
Thanks
Gilbert
Yeah. kick ass
[…] JANUARY 30, 2014 GILBERT QUEVAUVILLIERS16 COMMENTS […]
Hi Gilbert, great article, thank you!
I’m the developer of a Package, so the Login and Proxy were created by our IT people, I do not have rights for that, but I suppose they are correctly set.
My problem: after I deploy my package and execute it through an Agent, like you do in this article, it says ‘execution succesful’, but I do not see any entry in catalog.executions for it. Is this normal? It also does not log anything.
Thanks for your help,
Anca
Hi there Anca,
When you or the people are creating the SQL Job, check to see what type of logging they have enabled for the SSIS Package. By default it is set to Basic, but it can also be set to None. If it is set to None then it will not log anything.
Here is some more information Enable Logging for Package Execution on the SSIS Server
Thanks Gilbert
Thank you, actually it was on Verbose. The problem was a connection string to the database where I was logging. Windows Authentication didn’t work for the proxy user. I find it strange though that there was no error message anywhere and that running packages through the agent is not logged into catalog.executions.
Hi there, glad that you figured out the issue and got it all working.
I’ll bookmark your blog and take a look at once more right here regularly. I’m quite certain I will be told a lot of new stuff proper here!
Many thanks and there will be more interesting details going forward. Thanks
I never would have guessed how to setup a Integration Services Proxy account on my own. You ‘da man!
Glad it helped you out!
Hi, I have used this method successfully, however in a current project it isn’t working. The database I am accessing restricts visibility at the view level based on the value in “system_user”. When I use a proxy this way, the value for system_user in the executed SSIS package (via a job) is always “sa”. Is there a way to work around this?
Hi, the only way I would think if that user was part of the SysAdmin group or SSIS_admin Role. As this is a requirement to access the data in the SSIS DB.
Hi, The approach worked well for me, until the user changed their windows password. That’s when I came across your note in Credentials section. “NOTE 2: Ideally you are going to have a domain account, where the password does not change.” If it is not a domain account and the password might change regularly, is there an alternate way to make this work?
Hi there
Unfortunately not that I am aware of. I would suggest chatting to the system administrator as asking them to set one up for you.
Great article. I thought I’d found the solution to a problem that’s plagued me for days now, but alas the problem remains. Every time I run the step an error occurs: “Error authenticating proxy MYDOMAINMYUSER, system error: The user name or password is incorrect.” When in fact, I am absolutely positive the password is correct in the Credential. I thought your piece about adding the user to the SSISDB ssis_admin Database Role would be the answer but no luck. Any thoughts?
What I would do, if possible is to actually log into a Windows Server or PC with the username and password, just to make sure that you can actually log in.
I hope that will lead to finding out the issue, as I suspect it would be with the account and some required settings.
Hi Gilbert,
It’s great article.
I have configured my packages as your approach, but I have an issue:
“Date 6/9/2017 10:55:12 AM
Log Job History (ETL_Test)
Step ID 1
Server [server name]
Job Name ETL_Test
Step Name Step Test
Duration 00:00:19
Sql Severity 0
Sql Message ID 0
Operator Emailed
Operator Net sent
Operator Paged
Retries Attempted 0
Message
Executed as user: [DOMAINUsername]. Microsoft (R) SQL Server Execute Package Utility Version 12.0.5000.0 for 64-bit Copyright (C) Microsoft Corporation. All rights reserved.
Started: 10:55:12 AM Failed to execute IS server package because of error 0x80131904. Server: [server name], Package path: SSISDBETL_TestETL_TestETL_Test.dtsx, Environment reference Id: NULL.
Description: Connection Timeout Expired. The timeout period elapsed while attempting to consume the pre-login handshake acknowledgement.
This could be because the pre-login handshake failed or the server was unable to respond back in time.
The duration spent while attempting to connect to this server was – [Pre-Login] initialization=18102; handshake=14297; Source: .Net SqlClient Data Provider Started: 10:55:12 AM Finished: 10:55:31 AM Elapsed: 18.922 seconds.
The package execution failed. The step failed.”
I really appreciate if you would guide me how to fix above issue?
I’m looking forwarding to receiving your responses.
Thanks a lot.
Hi there from the error it appears that it is due to it taking to long to login.
I would suggest making sure that were the SSIS is run from can successfully connect to the database.
Hi Gilbert,
Thank you for your article. It helps me alot.
Actually, I have a problem as below: my package runs fine from my computer (Visual Studio 2015) with my account and I am also a creator. But when I am trying to run it with SQL Agent job (SSMS 2014) and service account (that I have created Login and Credential from this service account step by step as your article), I get a status “Unexpected Termination”. I have realized that it comes from the Excel Connection where RetainSameConnection set to “False” by default. If I change it into “True”, my package runs fine also with SQL Agent job. But I can’t change it because in the last step of my package, I have some conditions and I have to delete the Excel file if the conditions are satisfied. And if RetainSameConnection set to “True”, I can’t delete it.
So my question is, do you have any idea why the package runs fine from my computer with my account and RetainSameConnection set to “False” by default but It’s not the case when I run it with SQL Agent job and service account? Why SQL Agent job ask to change RetainSameConnection set to “True”
Thank you so much for your help.
Hi there glad it helps you.
With regards to the retain same connection I have not had any issues when it has been deployed to the server. It might be that you need to ensure that your SQL Server Agent Service account has got the correct permissions to the source.
Hi Gilbert;
since i’m new in integration service, and tried to follow your guidance, but i got an error when
Error The job was invoked by user DOMAIN\Administrator
the user i created has the same access with administrator ( group of administrator)
any help would be appreciated’
warm regards;
Opik
Is this user in the local Administrators Group on the server?
Hi Gilbert. Does the proxy credential account need to be member of local administrators group? My agent job package fails unless the proxy credentials belongs to the local administrator group.
Hi there,
Yes it does
Plese could you point me to documentation where it mentions that the proxy account must belong to local administrator group. I want the proxy user to have mininum permissions.
The package creates couple of folders and files on the D drive.
Thank you very much. I am a newbee in SSIS and your documentation helped me immensely to resolve an issue with which I was hanging around for past few days.
Pleasure, thanks for the kind words
Hi, i have followed all steps, but the following error still appearing when try to run JOB:
Message
Unable to start execution of step 6 (reason: Error authenticating proxy DOMAIN\USER ID, system error: Logon failure: the user has not been granted the requested logon type at this computer. (‘Access this computer from network’)). The step failed.
Hi there
If you can please ensure that the user account has got the right access to the SSIS DB?
Hey, I think your site might be having browser compatibility issues.
When I look at your website in Chrome, it looks fine
but when opening in Internet Explorer, it has some overlapping.
I just wanted to give you a quick heads up! Other then that,
amazing blog!
Thanks for letting me know.
2 weeks trying to resolve the connectivity issue in Production after a database migration!!!!
YOU ROCKS! Thank you very much!!!
Saludos desde Costa Rica!!!
Thanks for letting me know it helped you!
Hi Gilbert. Very informative article. I thought I will create a separate comment to describe my issue.
I have created a credential with a domain user account. Then created a proxy with this credential for SSIS Packages. In the sql agent’s job step (SSIS package) I have selected Run As the proxy user from previous step.
The SSIS creates couple of folders and files (excel, txt, log file) in the D drive. When I execute the job I get an error “Unexpected termination”. I tried giving this user full control under D drive security settings.
The error gets resolved only when I add the proxy credential domain user to local administartor group.
I couldn’t find any documentation suggesting that the proxy credential must belong to the local administrators group. Please can you point me to any documentation that specifies that the proxy credential user must be member of local administrator group? I want to give this user the mininum required permissions.