We are running SQL Server 2014. We want to use a gMSA as the proxy account for xp_cmdshell.
I tried running the following:
EXEC sys.sp_xp_cmdshell_proxy_account 'gmsaNameGoesHere$', ''
However, it expects a password.
I tried running the following:
CREATE CREDENTIAL ##xp_cmdshell_proxy_account## WITH IDENTITY = 'gmsaNameGoesHere$'
It runs! However, when the user tries to run xp_cmdshell via the proxy account, they're told:
Msg 15153, Level 16, State 1, Procedure xp_cmdshell, Line 3 The
xp_cmdshell proxy account information cannot be retrieved or is
invalid. Verify that the '##xp_cmdshell_proxy_account##' credential
exists and contains valid information.
Is it possible to use a gMSA as the proxy account for xp_cmdshell in SQL Server 2014? If so, how do I set it up as the proxy account?
Thanks!
Best Answer
Correct, the password is encrypted and stored in the master database. When the account needs to be used, the password is decrypted and passed in.
I don't believe so, and part of the reason why I included the quote about the password above.
The API calls used to do this expect a plain text password to be given. Since one does not exist for the gMSA in this instance the password would be blank. GMSA's do have passwords, but they aren't available in plain text and are base don generated values that rotate every so often, specified at creation time.
The code that does this expects a plain text password and does not check to see if the account is a gMSA or not, thus does not use any special API to retrieve the account password for storage.
My best guess would be, if we traced this all the way back to the calls you'd actually be receiving error 1326: The user name or password is incorrect.
Now What?
If you have very strong feelings that this would be helpful or that others would also like to use it, I'd invite you to create a Connect Item. If you do create one, please update your answer with a link to the item.