We are getting the following error when trying to use BULK INSERT
.
Msg 4861, Level 16, State 1, Line 10 Cannot bulk load because the file
"\filer\share\loadfile.txt" could not be opened. Operating system
error code 5(Access is denied.).
When we check the security on the directory everyone
is listed as having full access and in fact we have confirmed this by trying to open the file manually as myself, another DBA, one of the devs, and the service account running the instance. We also get the error when attempting to run the BULK INSERT myself, the other DBA, the dev and a sysadmin SQL login I created to run the test.
The instance is SQL Server 2008 R2
The code is:
CREATE TABLE #Temp1 (CodeNum VarChar(10), Cost Money)
BULK INSERT #Temp1
FROM '\\filer\share\loadfile.txt'
WITH (
FIELDTERMINATOR = ',',
ROWTERMINATOR = ';\n'
);
GO
Can anyone give me some direction on where my security issue is?
Best Answer
First, I would check the "effective" permissions of the Service Account used to run the MSSQLSERVER service for that NTFS share. This is mainly to ensure that no "deny"s exist for that account, or any Active Directory group in which that the account exists, in a parent folder that are getting inherited down to the path in question.
Second, I would consider attempting to enable Kerberos Delegation for that service account, as per the Microsoft recommendation for BULK INSERT (see below). Now, I would have expected that granting the service account the appropriate read/execute permissions and using a SQL Server Login would have worked (delegation shouldn't be needed in this case because the logon event is local and the external resource is only a single hop away), BUT since it isn't, some other factor could be getting in the way (perhaps Kerberos and SPNs are required, even when not using Delegation). Either way, it seems like this is a common-enough scenario for Microsoft to have documented it across two MSDN pages.
If you currently are using NTLM instead of Kerberos, you try switching to Kerberos and setting up the necessary SPN first, prior to enabling any account for Delegating, and see if that works.
And if you follow that link at the end to the "Import Bulk Data..." page, you will see the following section: