From: Toni on

Impersonation question

I need to have a user (DOMAIN\USERA) connect to server01 using their own
rights they already have by virtue of whatever Active Directory group
they are in, then I want them to impersonate USERB. USERB has rights to
run sp_start_job on SERVER02. Then they need to start a SQL Server Agent

The setup I have is:

The DOMAIN\USERA login is created on SERVER01 with all the necessary
permissions to DB1 to be able to run their app.
The SQL Auth id USERB is set up on SERVER01 with USE permissions to DB1.
(I'm not sure what additional permissions it needs here.)

The DOMAIN\USERA login has IMPERSONATE rights to the USERB id.

I have a linked server set up from SERVER01 to SERVER02. All domain ids
link with their same domain id.
The SQL Auth id USERB is set to link with the same id and password on
both servers.

The SQL Auth id USERB is set up on SERVER02 with db_owner permission to
MSDB. (originally permissions were EXECUTE on sp_start_job only but we
changed to db_owner to see if it would help with troubleshooting.)

On SERVER01, DOMAIN\USERA is running this:


EXEC SERVER02.msdb.dbo.sp_start_job N'Test Job';


The error they get is:

Msg 15274, Level 16, State 1, Line 3
Access to the remote server is denied because the current security
context is not trusted.

So, I have multiple questions. First, is this the right approach? If
it is, what am I doing wrong?

Thank you,

*** Sent via Developersdex ***
From: Toni on
I think I figured out my problem.

I needed to grant IMPERSONATE rights on the LOGIN. I did that and can
now execute the SQL Agent job without any errors.


*** Sent via Developersdex ***
Pages: 1
Prev: SQL Server Service User Account