When using a ZappySys SSIS PowerPack connection in SQL Server Integration Services (SSIS), you may encounter the following error message during package execution:
Login incorrect (530). Password was empty. ErrorCode: ERR_EMPTY_CREDS
This issue commonly occurs when the SSIS package ProtectionLevel is set to DontSaveSensitive. In this configuration, SSIS does not retain sensitive data such as passwords, access tokens, or API keys for security purposes.
For reference, review this related article:
SSIS Runtime Connection Error – Package ProtectionLevel set to DontSaveSensitive
Root Cause
The ProtectionLevel property in SSIS defines how sensitive data is stored and protected within a package.
When the ProtectionLevel is set to DontSaveSensitive, any sensitive data (like connection passwords) is removed when the package is saved. Consequently, when you execute the package, SSIS does not have access to the stored credentials, leading to the “Password was empty” error.
In short
DontSaveSensitive: Prevents passwords, tokens, or other sensitive info from being saved.- At runtime, the connection manager cannot access the cleared credentials, leading to the “Password was empty” error.
Resolution Steps
You can resolve this issue by using one of the following approaches:
Option 1: Set ProtectionLevel to EncryptSensitiveWithUserKey
- Open your SSIS project in SQL Server Data Tools (SSDT) or Visual Studio.
- Open the package properties.
- Locate the ProtectionLevel property.
- Change it from
DontSaveSensitivetoEncryptSensitiveWithUserKey. - Save and redeploy the package.
This option allows SSIS to encrypt sensitive information (like passwords) using the current Windows user’s key, ensuring that credentials are securely stored and accessible when executed by the same user.
Note: If the package is executed by a different Windows account (e.g., SQL Agent service account), that user will not be able to decrypt the sensitive data. For shared execution scenarios, use Option 2 below.
Option 2: Parameterize Sensitive Credentials
If you prefer to keep the ProtectionLevel as DontSaveSensitive, parameterize sensitive information such as passwords or tokens so that they can be securely supplied at runtime.
Steps:
- Create package parameters for credentials (e.g.,
ConnPassword). - Configure the connection manager to use the parameter value instead of a static password.
- Store and manage these parameters using one of the following:
- SSIS Environment Variables (for SSISDB deployments)
- SQL Agent Configuration (for job-based execution)
- Configuration files (dtsConfig) for file-based deployments
This ensures that sensitive information is never stored in the package, maintaining compliance with best security practices.
For detailed guidance, refer to the following article:
How to Run an SSIS Package with Sensitive Data on SQL Server
Summary
| Cause | Resolution |
|---|---|
ProtectionLevel set to DontSaveSensitive clears stored passwords |
Change to EncryptSensitiveWithUserKey or use parameters |
| Password becomes empty at runtime | Supply credentials via SSIS parameters or environment variables |
Troubleshooting Notes
- When deploying to SSISDB (Integration Services Catalog):
- Use project parameters and mark sensitive values as Sensitive = True.
- Provide these values in the SSIS Environment and map them at runtime.
- When running via SQL Agent Job:
- Ensure the SQL Agent service account has permission to decrypt credentials (if using
EncryptSensitiveWithUserKey). - If the package was developed under a different user account, credentials may not decrypt properly. In such cases, prefer parameterization.
- Ensure the SQL Agent service account has permission to decrypt credentials (if using
Conclusion
The error “Login incorrect (530). Password was empty” is a common issue related to SSIS package security configurations. By updating the ProtectionLevel or parameterizing credentials, you can resolve this error while maintaining a secure and reliable deployment environment for ZappySys connections.