FIX: Security token leak when you run more than two PowerShell steps by using a proxy account in a SQL Server Agent job

Microsoft distributes Microsoft SQL Server 2012 Service Pack 1 fixes as one downloadable file. Because the fixes are cumulative, each new release contains all the hotfixes and all the security fixes that were included with the previous SQL Server 2012 Service Pack 1 fix release.

Symptoms

Assume that you use a proxy account to run more than two Windows PowerShell steps at the same time in a SQL Server Agent job in Microsoft SQL Server 2012. In this situation, a security token leak occurs. Additionally, the Local Security Authority Security Subsystem process (Lsass.exe) consumes a large amount of memory, and the server may freeze.

Cause

This issue occurs because a new security token is re-created unexpectedly, and the handle for the previous security token is lost and cannot be closed.

Resolution

Cumulative update information

Cumulative Update 3 for SQL Server 2012 SP1

The fix for this issue was first released in Cumulative Update 3. For more information about how to obtain this cumulative update package for SQL Server 2012 SP1, click the following article number to view the article in the Microsoft Knowledge Base:
2812412 Cumulative update package 3 for SQL Server 2012 Service Pack 1
Note Because the builds are cumulative, each new fix release contains all the hotfixes and all the security fixes that were included with the previous SQL Server 2012 SP1 fix release. We recommend that you consider applying the most recent fix release that contains this hotfix. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
2772858 The SQL Server 2012 builds that were released after SQL Server 2012 Service Pack 1 was released

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Workaround

To work around this issue, apply one of the following methods:
  • Do not run multiple PowerShell steps at the same time.
  • Do not run the PowerShell steps by using a proxy account.
  • Use an operating system (CmdExec)Job Step type to run the PowerShell script.

References

For more information about how to run Windows PowerShell Steps in SQL Server Agent, go to the following MSDN website: For more information about the Incremental Servicing Model for SQL Server, click the following article number to view the article in the Microsoft Knowledge Base:
935897 An Incremental Servicing Model is available from the SQL Server team to deliver hotfixes for reported problems
For more information about the naming schema for SQL Server updates, click the following article number to view the article in the Microsoft Knowledge Base:
822499 Naming schema for Microsoft SQL Server software update packages
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
Proprietà

ID articolo: 2791496 - Ultima revisione: 12 apr 2013 - Revisione: 1

Feedback