Why is “Access this computer from the network” permission required for proxy credential?

All we need is an easy explanation of the problem, so here it is.

https://docs.microsoft.com/en-us/sql/ssms/agent/create-a-sql-server-agent-proxy?view=sql-server-ver15#Restrictions

SQL Server Agent proxies use credentials to store information about
Windows user accounts. The user specified in the credential must have
"Access this computer from the network" permission
(SeNetworkLogonRight) on the computer on which SQL Server is running.

I have logged on to the SQL server computer. Connected to SSMS using the SA user. Created new credentials with the username as domainame\user1. Then configured proxy to use this credential.

What is the purpose of giving this credential user domainname\user1 "access this computer from the network"? The sql server/proxy is on the same computer – so why is there mention of network?

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

Because if the account doesn’t have the "Access this computer from the network" privilege your job step will fail with

Message Unable to start execution of step 1 (reason: Error
authenticating proxy xxxx\xxx, system error: Logon failure: the user
has not been granted the requested logon type at this computer.
(‘Access this computer from network’)). The step failed.

Ok, followup question, why is that? I don’t know, but either SQL Agent is performing the impersonation using a call to LogonUser with a dwLogonType that requires this privilege, or SQL Agent is checking the privilege directly and generating this error message, instead of just trying to perform the job step and reporting a failure.

In both cases, this suggests a security feature in SQL Agent.

IE if you don’t have the privilege to connect remotely to this computer, but you do have the ability to connect to to SQL Server and create a job, then you could bypass the bar on remote authentication when SQL Agent logs you on locally to run your job step.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply