Script out SQL Server Credentials and Proxies
By: Pablo Echeverria | Updated: 2018-11-21 | Comments (1) | Related: More > Security
It is often a requirement to migrate a database from one SQL Server instance to another and that often involves migrating server objects used in the SQL Server Agent Jobs, but there is not an easy option to export credentials and proxies that are used for running SQL Server Agent jobs. In this tip we look at a way we can automtically generate scripts to recreate the credentials and proxies.
We will first setup a sample credential and proxy and then use this to generate the scripts.
Create Sample Credential and Proxy
We will first create a credential and proxy that we can then use to generate the creation scripts. We will use this link from Microsoft on how to create a proxy with credentials and then we will show the output of the script. The script from Microsoft is as follows. If you want to do this on your server, you will need to modify the IDENTITY value in the script for a valid account on your system.
-- creates credential CatalogApplicationCredential USE msdb; GO CREATE CREDENTIAL CatalogApplicationCredential WITH IDENTITY = 'REDMOND/TestUser', SECRET = 'G3$1o)lkJ8HNd!'; GO -- creates proxy "Catalog application proxy" and assigns the credential 'CatalogApplicationCredential' to it EXEC dbo.sp_add_proxy @proxy_name = 'Catalog application proxy', @enabled = 1, @description = 'Maintenance tasks on catalog application.', @credential_name = 'CatalogApplicationCredential' ; GO -- grants the proxy "Catalog application proxy" access to the Operating System (CmdExec) subsystem. EXEC dbo.sp_grant_proxy_to_subsystem @proxy_name = N'Catalog application proxy', @subsystem_id = 3 ; GO
When this script from is run (with a valid domain user and password) it first creates the credential named "CatalogApplicationCredential" and then creates a proxy named "Catalog application proxy" and finally enables the proxy to run Operating System commands.
Generate Credential and Proxy Scripts Based on Existing Configuration
Now that we have an example credential and proxy, we can use this sample to generate the scripts so we can recreate these on another instance of SQL Server. Here is the script that will output the commands to create the credential and proxies from the system:
-- Get the credentials from sys.credentials, the password is unknown SELECT 'CREATE CREDENTIAL '+[name]+' WITH IDENTITY='''+[credential_identity]+''',SECRET=''G3$1o)lkJ8HNd!''' FROM [sys].[credentials] ORDER BY [name] -- Get the proxies from sp_help_proxy and sys.credentials CREATE TABLE #Info ([proxy_id] INT, [name] SYSNAME, [credential_identity] SYSNAME, [enabled] TINYINT, [description] NVARCHAR(1024), [user_sid] VARBINARY(85), [credential_id] INT, [credential_identity_exists] INT) INSERT INTO #Info EXEC sp_help_proxy SELECT 'EXEC dbo.sp_add_proxy @proxy_name='''+[i].[name]+''',@enabled='+CAST([enabled] AS VARCHAR)+',@description='+(CASE WHEN [description] IS NULL THEN 'NULL' ELSE ''''+[description]+'''' END)+',@credential_name='''+[c].[name]+'''' FROM #Info [i] INNER JOIN [sys].[credentials] [c] ON [c].[credential_id] = [i].[credential_id] DROP TABLE #Info -- Get the proxy authorizations from sp_enum_proxy_for_subsystem CREATE TABLE #Info2([subsystem_id] INT, [subsystem_name] SYSNAME, [proxy_id] INT, [proxy_name] SYSNAME) INSERT INTO #Info2 EXEC sp_enum_proxy_for_subsystem SELECT 'EXEC dbo.sp_grant_proxy_to_subsystem @proxy_name=N'''+[proxy_name]+''',@subsystem_id='+CAST([subsystem_id] AS VARCHAR) FROM #Info2 DROP TABLE #Info2
- First we get the credentials from sys.credentials (note that you need to input the password the password will not be returned via the script).
- Then we get the proxies from sp_help_proxy into a temp table to output as a command.
- Finally we get the proxy authorizations from sp_enum_proxy_for_subsystem into a temp table to output as a command.
Here is the output it produces after it is run:
CREATE CREDENTIAL CatalogApplicationCredential WITH IDENTITY='REDMOND/TestUser',SECRET='G3$1o)lkJ8HNd!' EXEC dbo.sp_add_proxy @proxy_name='Catalog application proxy',@enabled=1,@description='Maintenance tasks on catalog application.',@credential_name='CatalogApplicationCredential' EXEC dbo.sp_grant_proxy_to_subsystem @proxy_name=N'Catalog application proxy',@subsystem_id=3
You can see, the output from the script is the same as the original provided by Microsoft, although formatted a little differenlty.
Note that you must know the password of the user specified in the credential, as there’s no official way to retrieve it. You will need to ask someone that knows the password or as a last resort, you will have to change it.
- Here is the original link from Microsoft on creating proxies with credentials
- Here is the official documentation on sys.credentials
- Here is the official documentation on sp_help_proxy
- Here is the official documentation on sp_add_proxy
- Here is the official documentation on sp_enum_proxy_for_subsystem
- Here is the official documentation on sp_grant_proxy_to_subsystem
Last Updated: 2018-11-21
About the author
View all my tips