OPENROWSET BULK Permissions to Shared Folder

Question

OBJECTIVE

Use the OPENROWSET feature to JOIN data in a query against a text file.

ERROR

Leveraging the answer from @gbn on this question I am trying to

Answer 1

If you are logged in as a SQL login then you must create a credential for this login and this credential must have sufficient privileges to read the share.

If you are logged in as a Windows login then you must enable Kerberos constrained delegation for the SQL Server service account.

Right now it seems you're using a Windows login and because the impersonated context cannot flow through the 'double hop' the authentication resolves to ANONYMOUS LOGON, which is not member of Everyone, hence the access denied. All this is exactly the expected behavior. Consult your network administrator about how to setup constrained delegation for the SQL Server service account targeting your desired share.

Answer 2

These steps are required on SQL Server 2017 to make OPENROWSET ('Microsoft.ACE.OLEDB.16.0','Excel 12.0;..) working with a Shared Folder (UNC file-share):

1. Install Microsoft Access Database Engine 2016 Redistributable
2. Configure the Service Principal Name (SPN) in Active Directory (as we use Kerberos authentication):
   1. Configure Computer object Security rights (of the Database Server)
   2. Configure Service account Security rights (the user running the SQL-server process)
   3. Check the SQL Server Log for a message like: The SQL Server Network Interface library successfully registered the Service Principal Name (SPN) [ MSSQLSvc/SRV-DB-01.domain.local:58089 ] for the SQL Server service.
3. Allow Ad Hoc Distributed Queries

EXEC sp_configure 'show advanced options', 1 RECONFIGURE GO EXEC sp_configure 'ad hoc distributed queries', 1 RECONFIGURE GO

4. Configure the Driver "Microsoft.ACE.OLEDB.16" with AllowInProcess and DynamicParameters

USE [master] GO EXEC master.dbo.sp_MSset_oledb_prop N'Microsoft.ACE.OLEDB.16.0', N'AllowInProcess', 1 GO EXEC master.dbo.sp_MSset_oledb_prop N'Microsoft.ACE.OLEDB.16.0', N'DynamicParameters', 1 GO

5. Because we enabled AllowInProcess, the service-account and the actual user must have modify-permission to the Temp-Folder on C:\Users\service-account\AppData\Local\Temp. Otherwise you may recieve The provider reported an unexpected catastrophic failure.
6. Ensure you have proper permissions on the UNC share itself.
7. Reboot the server to ensure all changes in AD and temp-folder permissions were applied!
8. Use the actual Database-Server-Name to connect. Don't use an SQL-Alias name.

Answer 3

I had the same issue which was caused by using a SQL DNS-Alias. With Servername\Instance it worked, with ServerAlias\Instance I get Operating system error code 5(Access is denied.).