search cancel

Required privilege is not held for CmdExec job steps

book

Article ID: 253031

calendar_today

Updated On:

Products

Information Centric Analytics

Issue/Introduction

The following RiskFabric Processing job steps of type Operating System (CmdExec) are failing:

  • Metric Collector (22)
  • Update DB Utility Versions (23)
  • Update Data Refresh Date (25)
  • Send License Expiration Notifications (26)
  • Send Email Notifications (27)

The following error is logged by the SQL Server Agent for each job step:

Executed as user: <domain>\<account>. The process could not be created for step n of job <guid> (reason: A required privilege is not held by the client). The step failed.

Environment

Release : 6.x

Component : Microsoft SQL Server

Cause

The SQL Server Agent Service account is missing required privileges to perform impersonation. Per Microsoft, "the Windows Service Control Manager cannot grant the required permissions to run agent jobs to the <account> domain account" and "[t]his error message is not typically caused by the proxy account itself, but rather by the SQL Server Agent service account trying to impersonate the proxy account."

Resolution

To resolve this issue, determine why the Microsoft Service Control Manager cannot grant impersonation privileges to the SQL Server Agent service account. This may be enforced by a local security policy or GPO.

As a workaround, change job steps 22, 23, 25, 26, and 27 to run as the SQL Server Agent service account, rather than as the RiskFabric Nightly Processing proxy, by following this procedure:

  1. Open SQL Server Management Studio (SSMS)
  2. Connect to the Database Engine hosting the RiskFabric database
  3. In Object Explorer, navigate to SQL Server Agent > Jobs
  4. Right-click the RiskFabric Processing job and select Properties
  5. In the Job Properties window, select the Steps page
  6. Select step 22 (Metric Collector) and click the Edit button
  7. In the Job Step Properties window on the General page under the Run as: drop-down menu, select SQL Server Agent Service Account
  8. Click the OK button to close the Job Step Properties window
  9. Repeat steps 6 through 8 for job steps 23, 25, 26, and 27
  10. Click the OK button to close the Job Properties window
  11. Right-click the RiskFabric Processing job and select Start Job at Step
  12. In the Start Job on '<host>' window, click the Start button to start the processing job

Additional Information

Microsoft Document: SQL Server Agent jobs may fail after you change the SQL Server Agent service startup account by using the Windows Service Control Manager