Sign In Help
Schneider Electric
HelpSign In
Schneider Electric Exchange
  • Home
  • Collaborate
  • Develop
  • Shop
Home Collaborate Develop Shop Log in or Register Help

Invite a Co-worker

Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
You have entered an invalid email address. Please re-enter the email address.
This co-worker has already been invited to the Exchange portal. Please invite another co-worker.
Please enter email address
Send Invite Cancel

Invitation Sent

Your invitation was sent.Thanks for sharing Exchange with your co-worker.
Send New Invite Close
  • Home
  • Collaborate
  • Exchange Community
  • :
  • SCADA & Telemetry Solutions
  • :
  • Geo SCADA Expert Forum
  • :
  • [Imported] SQL Export Object - Output File Name - UNC Path Fails
Community Menu
  • Forums
    • By Topic
        • EcoStruxure IT
          • EcoStruxure IT forum
        • Industrial Automation
          • Industry Automation and Control Forum
          • Alliance System Integrators Forum
          • Machine Solutions in the Digital Transformation
          • EcoStruxure Automation Expert / IEC 61499 Forum
          • Industrial Edge Computing Forum
          • Level and Pressure Instrumentation Forum
          • Modicon User Group
          • PLC Club Indonesia
          • SEE Automation Club Forum
          • Fabrika ve Makina Otomasyonu Çözümleri
          • Форум по промышленной автоматизации СНГ
        • SCADA & Telemetry Solutions
          • Geo SCADA Expert Forum
          • SCADA and Telemetry Devices Forum
        • Power Distribution IEC
          • Power Distribution and Digital
          • Power Standards & Regulations
          • Paneelbouw & Energie Distributie
          • Eldistribution & Fastighetsautomation
        • Power Distribution Softwares
          • EcoStruxure Power Design Forum
          • SEE Electrical Building+ Forum
          • LayoutFAST User Group Forum
        • Wireless Information Network Solutions
          • Instrument Area Network
          • Remote Monitoring
          • Tank Level Monitoring
          • Remote Data Collection
        • Solutions for your Business
          • Solutions for Food & Beverage Forum
          • Solutions for Healthcare Forum
    • By Segment
        • Food & Beverage
          • Solutions for Food & Beverage Forum
        • Healthcare
          • Solutions for Healthcare Forum
      • EcoStruxure IT
        • EcoStruxure IT forum
      • Industrial Automation
        • Industry Automation and Control Forum
        • Alliance System Integrators Forum
        • Machine Solutions in the Digital Transformation
        • EcoStruxure Automation Expert / IEC 61499 Forum
        • Industrial Edge Computing Forum
        • Level and Pressure Instrumentation Forum
        • Modicon User Group
        • PLC Club Indonesia
        • SEE Automation Club Forum
        • Fabrika ve Makina Otomasyonu Çözümleri
        • Форум по промышленной автоматизации СНГ
      • SCADA & Telemetry Solutions
        • Geo SCADA Expert Forum
        • SCADA and Telemetry Devices Forum
      • Power Distribution IEC
        • Power Distribution and Digital
        • Power Standards & Regulations
        • Paneelbouw & Energie Distributie
        • Eldistribution & Fastighetsautomation
      • Power Distribution Softwares
        • EcoStruxure Power Design Forum
        • SEE Electrical Building+ Forum
        • LayoutFAST User Group Forum
      • Wireless Information Network Solutions
        • Instrument Area Network
        • Remote Monitoring
        • Tank Level Monitoring
        • Remote Data Collection
      • Solutions for your Business
        • Solutions for Food & Beverage Forum
        • Solutions for Healthcare Forum
      • Food & Beverage
        • Solutions for Food & Beverage Forum
      • Healthcare
        • Solutions for Healthcare Forum
  • Blogs
    • By Topic
        • Industrial Automation
          • Industrial Edge Computing Blog
          • Industry 4.0 Blog
          • Industrie du Futur France
        • SCADA & Telemetry Solutions
          • SCADA and Telemetry Blog
        • Power Distribution IEC
          • Power Events & Webinars
          • Power Foundations Blog
        • Power Distribution NEMA
          • NEMA Power Foundations Blog
        • Power Distribution Softwares
          • EcoStruxure Power Design Blog
          • SEE Electrical Building+ Blog
        • Solutions for your Business
          • Solutions for Food & Beverage Blog
          • Solutions for Healthcare Blog
          • Solutions for Retail Blog
        • Community experts & publishers
          • Publishers Community
    • By Segment
        • Food & Beverage
          • Solutions for Food & Beverage Blog
        • Healthcare
          • Solutions for Healthcare Blog
        • Retail
          • Solutions for Retail Blog
      • Industrial Automation
        • Industrial Edge Computing Blog
        • Industry 4.0 Blog
        • Industrie du Futur France
      • SCADA & Telemetry Solutions
        • SCADA and Telemetry Blog
      • Power Distribution IEC
        • Power Events & Webinars
        • Power Foundations Blog
      • Power Distribution NEMA
        • NEMA Power Foundations Blog
      • Power Distribution Softwares
        • EcoStruxure Power Design Blog
        • SEE Electrical Building+ Blog
      • Solutions for your Business
        • Solutions for Food & Beverage Blog
        • Solutions for Healthcare Blog
        • Solutions for Retail Blog
      • Community experts & publishers
        • Publishers Community
      • Food & Beverage
        • Solutions for Food & Beverage Blog
      • Healthcare
        • Solutions for Healthcare Blog
      • Retail
        • Solutions for Retail Blog
  • Ideas
        • Industrial Automation
          • Modicon Ideas & new features
        • SCADA & Telemetry Solutions
          • Geo SCADA Expert Ideas
          • SCADA and Telemetry Devices Ideas
  • Knowledge Center
    • Building Automation Knowledge Base
    • Industrial Automation Knowledge Base
    • Industrial Automation How-to videos
    • SCADA & Telemetry Solutions Knowledge Base
    • Digital E-books
    • Success Stories Corner
    • Power Talks
  • Events & Webinars
    • Innovation Talks
    • Innovation Summit
    • Let's Exchange Series
    • Technology Partners
  • Support
    • Ask Exchange
    • Leaderboard
    • Our Community Guidelines
    • Community User Guide
    • How-To & Best Practices
    • More
Join Now
How can we help?
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
51230members
Join Now
245444posts
Join Now

[Imported] SQL Export Object - Output File Name - UNC Path Fails

Options
  • Subscribe to RSS Feed
  • Mark Topic as New
  • Mark Topic as Read
  • Float this Topic for Current User
  • Bookmark
  • Subscribe
  • Mute
  • Printer Friendly Page
Solved Go to Solution
Back to Geo SCADA Expert Forum
Solved
sbeadle
Sisko sbeadle Sisko
Sisko
‎2019-11-27 12:03 AM
0 Likes
1
558
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
‎2019-11-27 12:03 AM

[Imported] SQL Export Object - Output File Name - UNC Path Fails

 

>>Message imported from previous forum - Category:ClearSCADA Software<<
User: rlao, originally posted: 2019-11-06 06:10:02 Id:615
Hi,

Can one of the forum admins please restore the contents of this thread from the old forums:

http://telemetry.schneider-electric.com/id3/forum/messageview.cfm?catid=67&threadid=3058

Forum title is same as my own forum title: SQL Export Object - Output File Name - UNC Path Fails

It looks like I am encountering the same issue as that post - getting the SQL Export Driver to write to a UNC path fails due to 'access denied' even though the user I'm running it as has all the required permissions to write to that network location. The same SQL export produces a file without issue if the output path is a local C: drive path.

Solved! Go to Solution.

Labels
  • SCADA
Share
Reply

Accepted Solutions
sbeadle
Sisko sbeadle Sisko
Sisko
‎2019-11-27 12:04 AM
0 Likes
0
557
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
‎2019-11-27 12:04 AM

Re: [Imported] SQL Export Object - Output File Name - UNC Path Fails

>>Responses imported from previous forum


Reply From User: andrewscott, posted: 2019-11-06 10:22:12
The SQL Export driver runs under the Windows user account specified in the "System Configuration \\ Printing" section of the server configuration tool. This user must have write access to the share and folder where the files are saved.
This user must also have the "Log on as a service" privilege as the ClearSCADA server runs as a Windows service.
This needs to be configured on each main/standby server in the system (but not permanent standbys).


Reply From User: adamwoodland, posted: 2019-11-06 21:42:03
Also, if no use is defined in printing it'll be whatever the ClearSCADA service is run under (so most likely SYSTEM). Windows block services running as SYSTEM from smb calls, so calls to \\\\server will always fail


Reply From User: sbeadle, posted: 2019-11-07 08:46:28
Post 3058 from the original forum:

Question :

We use a SQL Export Object that uploads the file to a UNC share (another server).

When we export to the local machines UNC path or just "C:\\file" everything goes well. When we export to another computers UNC path, it fails.

On this other computer, I turned off firewalls, I have no anti-virus running, I gave all sharing rights to Everyone, Anonymous Logon,... But nothing works. Although I can perfectly access the share (read/write) through windows explorer with the same UNC path.

I also played around with the "File Upload" user settings in the configuration by configuring a user, but it gives the same result.

On the other computer (with the share) we see that a user succesfully logs in and logs out as "ANONYMOUS LOGON, NT AUTHORITY", every time we trigger the export. So something is happening... Nevertheless, no file is written to the share and we always get this error :

"

Low 2/07/2015 10:21:34.949 Export SQL Query result request failed - Failed to open or write to SQL Query result file (Access is denied.). Check privileges and/or free disk space (2/07/2015 10:21:34.928) admin Action

Low 2/07/2015 10:21:34.927 Export SQL Query result requested admin Action

"

 

Solution :

The following configuration must be defined:

Enable the Guest Account - not necessary but you can try if it still doesn't work.
Open up Local Group Policy Manager. (secpol.msc)
Expand Computer Configuration
Expand Windows Settings
Expand Security Settings
Expand Local Policies
Select Security Options
Change "Network access: Let Everyone permissions to apply to anonymous users" from Disabled to Enabled.
Change "Network access: Restrict anonymous access to Named Pipes and Shares" from Enabled to Disabled.
Enter in the share name for "Network access: Shares that can be accessed anonymously" - \\\\SERVERNAME\\ShareName - Fill in only ShareName

Set up the Share with Everybody permissions and you're set!

User:
bevanweiss
Posted:
7/2/2015 5:55:01 PM

It would have been interesting to try something different...

On the share in question, if you had of edited the Permissions and added the particular ClearSCADA server machine account explicitly (with Full control permissions). I expect this would have worked.

I believe the SQL Export would run as the SYSTEM account (the same as the ClearSCADA DBServer), and I've actually just checked and this is the default.

This means that when trying to access a remote resource, it will only pass through the credentials of the PC on which it is currently running (i.e. it will attempt to authenticate using the computer account).

I would have expected the Windows Everyone group to include the computer accounts, but I'm not completely across the intricacies of the Windows Authentication system.

EDIT: I've just looked, and I'm wrong on the SYSTEM account remote resource aspect. It uses the null session, so this wouldn't work. NETWORK SERVICE is the one I was thinking of that would provide the computer account.
Probably what you really want, is to use a domain level service account to run the DriverSQLExport service, and then give this appropriate local and remote permissions to perform the task required. This is more secure than allowing Anonymous Read/Write access to a particular file share.
User:
AWoodland
Posted:
7/2/2015 6:09:37 PM

Just a word of caution, whilst it is great you have found and posted a solution for others to use be aware that if you're trying to operate in a secure environment and perhaps have security policies to meet, you'll probably fail. The basic securiy checks from 15 years ago for Windows NT checked these policy settings.

If you are looking for a more secure way, perhaps export to your local disk and then using something that does meet your security requirements to get the data off-server, such as dfs or an encrypted copying solution.

Might be nice if the SQL Export has user impersonation available so it doesn't run that driver as SYSTEM (as Bevan points out); maybe in the future an enhancement by the development team.

User:
andrewscott
Posted:
7/3/2015 5:10:44 AM

Actually the SQL Export driver does support user impersonation, however it doesn't have its own user account, instead it shares the printing user account, see the "System Configuration\\Printing" section of the server configuration tool.

NB. This Windows user must have the "Log on as a service" permission.

This printing user must be setup if you want to export to a UNC path.

User:
StijnA
Posted:
7/3/2015 9:29:54 AM

Yes indeed this solution is not very secure, but it was the only thing that worked. I like the idea of storing the file locally and use a secure service to transfer these files to the server.

We also tried setting a printing user in the "System Configuration\\Printing" as recommended, and that seems to be working fine as well! Which is great news 🙂 Thanks for the info!

Great! Thank you Bevan, Adam, Andrew!

 

Reply From User: rlao, posted: 2019-11-14 00:16:20
Hi all,

Just an update on this.

I've tried both methods: (1) Giving Everyone write permissions to the shared folder, (2) setting up the Printing user.

Method 1 worked fine, but as already mentioned here is not ideal from a security point of view.

However, I still cannot get Method 2 with the Printing user to work. I've added a Printing user (a domain account) to all primary and standby servers - even the Permanent Standby to be extra sure.

I'm certain that domain user account is correctly set up with 'Log on as a Service' privilege. The server configuration tool doesn't complain about the user not being granted the correct logon type when I enter that user under System Configuration/Printing and save changes.

I've also verified the permissions on the share are set up correctly. I can manually log on as that Printing user and create/edit a file in that share folder.

I checked the event logs of the computer that's hosting the share and can find the successful logon attempt from the ClearSCADA server when I trigger the SQL Export. However the user is coming across as NULL SID and I'm getting a blank dash for Account Name/Domain. I've attached the event log entry as a text file.

Does this mean it's not able to impersonate the Printing user?

 

Reply From User: adamwoodland, posted: 2019-11-14 05:28:54
Any errors in the DB logs?


Reply From User: andrewscott, posted: 2019-11-14 12:20:40
What does the SQL Export driver log file show?
If it successfully impersonates the printing user it will log the following:
`14-NOV-2019 12:07:00.998 [SQL Export1] Impersonated user \\`
If it fails an error message will be logged instead.

See Answer In Context

Share
Reply
  • All forum topics
  • Previous Topic
  • Next Topic
1 Reply 1
sbeadle
Sisko sbeadle Sisko
Sisko
‎2019-11-27 12:04 AM
0 Likes
0
558
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
‎2019-11-27 12:04 AM

Re: [Imported] SQL Export Object - Output File Name - UNC Path Fails

>>Responses imported from previous forum


Reply From User: andrewscott, posted: 2019-11-06 10:22:12
The SQL Export driver runs under the Windows user account specified in the "System Configuration \\ Printing" section of the server configuration tool. This user must have write access to the share and folder where the files are saved.
This user must also have the "Log on as a service" privilege as the ClearSCADA server runs as a Windows service.
This needs to be configured on each main/standby server in the system (but not permanent standbys).


Reply From User: adamwoodland, posted: 2019-11-06 21:42:03
Also, if no use is defined in printing it'll be whatever the ClearSCADA service is run under (so most likely SYSTEM). Windows block services running as SYSTEM from smb calls, so calls to \\\\server will always fail


Reply From User: sbeadle, posted: 2019-11-07 08:46:28
Post 3058 from the original forum:

Question :

We use a SQL Export Object that uploads the file to a UNC share (another server).

When we export to the local machines UNC path or just "C:\\file" everything goes well. When we export to another computers UNC path, it fails.

On this other computer, I turned off firewalls, I have no anti-virus running, I gave all sharing rights to Everyone, Anonymous Logon,... But nothing works. Although I can perfectly access the share (read/write) through windows explorer with the same UNC path.

I also played around with the "File Upload" user settings in the configuration by configuring a user, but it gives the same result.

On the other computer (with the share) we see that a user succesfully logs in and logs out as "ANONYMOUS LOGON, NT AUTHORITY", every time we trigger the export. So something is happening... Nevertheless, no file is written to the share and we always get this error :

"

Low 2/07/2015 10:21:34.949 Export SQL Query result request failed - Failed to open or write to SQL Query result file (Access is denied.). Check privileges and/or free disk space (2/07/2015 10:21:34.928) admin Action

Low 2/07/2015 10:21:34.927 Export SQL Query result requested admin Action

"

 

Solution :

The following configuration must be defined:

Enable the Guest Account - not necessary but you can try if it still doesn't work.
Open up Local Group Policy Manager. (secpol.msc)
Expand Computer Configuration
Expand Windows Settings
Expand Security Settings
Expand Local Policies
Select Security Options
Change "Network access: Let Everyone permissions to apply to anonymous users" from Disabled to Enabled.
Change "Network access: Restrict anonymous access to Named Pipes and Shares" from Enabled to Disabled.
Enter in the share name for "Network access: Shares that can be accessed anonymously" - \\\\SERVERNAME\\ShareName - Fill in only ShareName

Set up the Share with Everybody permissions and you're set!

User:
bevanweiss
Posted:
7/2/2015 5:55:01 PM

It would have been interesting to try something different...

On the share in question, if you had of edited the Permissions and added the particular ClearSCADA server machine account explicitly (with Full control permissions). I expect this would have worked.

I believe the SQL Export would run as the SYSTEM account (the same as the ClearSCADA DBServer), and I've actually just checked and this is the default.

This means that when trying to access a remote resource, it will only pass through the credentials of the PC on which it is currently running (i.e. it will attempt to authenticate using the computer account).

I would have expected the Windows Everyone group to include the computer accounts, but I'm not completely across the intricacies of the Windows Authentication system.

EDIT: I've just looked, and I'm wrong on the SYSTEM account remote resource aspect. It uses the null session, so this wouldn't work. NETWORK SERVICE is the one I was thinking of that would provide the computer account.
Probably what you really want, is to use a domain level service account to run the DriverSQLExport service, and then give this appropriate local and remote permissions to perform the task required. This is more secure than allowing Anonymous Read/Write access to a particular file share.
User:
AWoodland
Posted:
7/2/2015 6:09:37 PM

Just a word of caution, whilst it is great you have found and posted a solution for others to use be aware that if you're trying to operate in a secure environment and perhaps have security policies to meet, you'll probably fail. The basic securiy checks from 15 years ago for Windows NT checked these policy settings.

If you are looking for a more secure way, perhaps export to your local disk and then using something that does meet your security requirements to get the data off-server, such as dfs or an encrypted copying solution.

Might be nice if the SQL Export has user impersonation available so it doesn't run that driver as SYSTEM (as Bevan points out); maybe in the future an enhancement by the development team.

User:
andrewscott
Posted:
7/3/2015 5:10:44 AM

Actually the SQL Export driver does support user impersonation, however it doesn't have its own user account, instead it shares the printing user account, see the "System Configuration\\Printing" section of the server configuration tool.

NB. This Windows user must have the "Log on as a service" permission.

This printing user must be setup if you want to export to a UNC path.

User:
StijnA
Posted:
7/3/2015 9:29:54 AM

Yes indeed this solution is not very secure, but it was the only thing that worked. I like the idea of storing the file locally and use a secure service to transfer these files to the server.

We also tried setting a printing user in the "System Configuration\\Printing" as recommended, and that seems to be working fine as well! Which is great news 🙂 Thanks for the info!

Great! Thank you Bevan, Adam, Andrew!

 

Reply From User: rlao, posted: 2019-11-14 00:16:20
Hi all,

Just an update on this.

I've tried both methods: (1) Giving Everyone write permissions to the shared folder, (2) setting up the Printing user.

Method 1 worked fine, but as already mentioned here is not ideal from a security point of view.

However, I still cannot get Method 2 with the Printing user to work. I've added a Printing user (a domain account) to all primary and standby servers - even the Permanent Standby to be extra sure.

I'm certain that domain user account is correctly set up with 'Log on as a Service' privilege. The server configuration tool doesn't complain about the user not being granted the correct logon type when I enter that user under System Configuration/Printing and save changes.

I've also verified the permissions on the share are set up correctly. I can manually log on as that Printing user and create/edit a file in that share folder.

I checked the event logs of the computer that's hosting the share and can find the successful logon attempt from the ClearSCADA server when I trigger the SQL Export. However the user is coming across as NULL SID and I'm getting a blank dash for Account Name/Domain. I've attached the event log entry as a text file.

Does this mean it's not able to impersonate the Printing user?

 

Reply From User: adamwoodland, posted: 2019-11-14 05:28:54
Any errors in the DB logs?


Reply From User: andrewscott, posted: 2019-11-14 12:20:40
What does the SQL Export driver log file show?
If it successfully impersonates the printing user it will log the following:
`14-NOV-2019 12:07:00.998 [SQL Export1] Impersonated user \\`
If it fails an error message will be logged instead.

See Answer In Context

Share
Reply
Related Products
Schneider Electric
EcoStruxure™ Geo SCADA Expert
Top Experts
User Count
sbeadle
Sisko sbeadle Sisko
188
BevanWeiss
Sisko BevanWeiss
52
AdamWoodland
Lt. Commander AdamWoodland Lt. Commander
16
JChamberlain
Lieutenant JChamberlain Lieutenant
16
AndrewScott
Lieutenant AndrewScott
15
See More Top Experts
Find a Service Provider
Find a certified partner to help you address your integration, installation, maintenance and project needs.
View all Providers
Support

Have a question? Please contact us with details, and we will respond.

Contact Us
FAQ

Look through existing questions to find popular answers.

Learn More
About

Want to know more about Exchange and its possibilities?

Learn More

Full access is just steps away!

Join Exchange for FREE and get unlimited access to our global community of experts.

Connect with Peers & Experts

Discuss challenges in energy and automation with 30,000+ experts and peers.

Get Support in Our Knowledge Base

Find answers in 10,000+ support articles to help solve your product and business challenges.

Ask Questions. Give Solutions

Find peer based solutions to your questions. Provide answers for fellow community members!

Register today for FREE

Register Now

Already have an account?Log in

About Us FAQ Terms & Conditions Privacy Notice Change your cookie settings
©2020, Schneider Electric