Topics: |
How to: |
You can use Active Directory Users and Computers to create two domain user accounts for SQL Server in Active Directory: one for the SQL Server database account, and one (if needed) for the SQL Serve Reporting services.
Perform the following tasks for each of these accounts created for SQL and Kerberos:
If the computer that is running SQL Server is the last computer contacted, but that computer has a linked server, it must also be granted delegation permissions. If it is not the last computer in the chain, all the computers that are intermediaries must be trusted for delegation.
After installing and configuring SQL Server, you are returned to the Active Directory Domain Controller where you will need to configure the account properties of the MSSQL user.
For more information, see the Microsoft support matrix for additional features at https://msdn.microsoft.com/en-us/library/cc645993(v=sql.120).aspx#Enterprise_security.
You can also see the Microsoft Quick Start Installation guide at https://msdn.microsoft.com/en-us/library/bb500433(v=sql.120).aspx.
The SQL server must be installed on a Windows or Integrated authentication only. It is not possible to have a secure Kerberos connection mode when there can be a backdoor through a a native mode account. In Integrated mode the SA account is present but disabled.
The TCP/IP Properties dialog opens.
The Object Explorer opens, as shown in the following image.
The Login New dialog opens.
The Select Window or Group dialog opens, with the current machine name already indicated in the From this location field, as shown in the following image.
The Select User or Group dialog returns, but the From this location field now shows Users instead of the local machine name, as shown in the following image.
The Select User, Service Account, or Group dialog opens, as shown in the following image.
The list box fills with the users of the domain.
The Find property page closes and the list box of the Select User, Service Account, or Group dialog now displays the selected account in user principal name format.
The Login New dialog now shows the SQL server user in Windows 2000 format Domain\User, as shown in the following image.
On the left side of the dialog, the Select a page section is positioned on General.
The Add Objects dialog appears, as shown in the following image.
The Select Object types dialog opens, as shown in the following image.
This must be done for the User for SQL Server connection and may be done for additional regular SQL Server users.
You can install it into the following drive:
C:\Program Files\Microsoft\Kerberos Configuration Manager for SQL Server
No shortcuts or entries are added to the windows Start menu.
The Configuration Manager window opens.
A dialog window opens with the connection parameter credential fields. Do not enter anything into the fields, as shown in the following image.
The following tabs appear:
The System tab shows the connection information on the machine with SQL Server installed.
The SPN tab allows you to see the Instance Name and the associated Service Account. You can scroll to the far right to see the Required SPN. If the SPN is not present in the Active Directory, then the two buttons Fix and Generate will be enabled. The Generate option will dynamically create the SPNs on the system and link them to the account. You can perform this action for as many SPNs as are listed in red (if Fix is selected, the changes are written to a file to be executed at a later time). It can be useful to keep a record of the changes, since the will be generated anyway.
When finished, the Status column will have a green check box and the word Good for all SPNs and accounts.
Enter the following syntax as a template on the Domain controller:
setspn -A MSSQLSvc/myhost.redmond.microsoft.com:1433 accountname
Your host and domain name should be specified. The account name is the domain user account, which uses the principal name format.
For named instances, use the following format:
setspn -A MSSQLSvc/myhost.redmond.microsoft.com:1433 accountname
If the computer that is running SQL Server is the last computer contacted (and the computer has a linked server), the it must also be granted delegation permissions. If it is not the last computer in the chain, then all the computers that are intermediaries must be trusted for delegation.
You must have a domain user account for clustered SQL Server installations.
Note: This step is not required for computers that are running SQL Server and using a local system account.
The following object types are selected by default.
You are returned to the Delegation page of the Account properties, with one or more entries in the service principal name list.
You can select all or as many entries as you wish, and then click Add to register the selection in Active Directory.
The JDBC driver needs these permissions. Do not perform step 12 unless dynamic SPNs are enabled throughout the enterprise.
To enable the enterprise, you must grant the following access control settings for the SQL Server service account in the Active Directory directory service:
Important:
Perform the following steps to configure the SQL Server service to create SPNs dynamically when the SQL Server service starts:
Notes:
Important: There are many properties and each must be searched for in the list. If they do not appear, the wrong object is selected or delegation is not enabled on the account.
Important: You should only delete the SPNs for the instances of SQL Server that you are currently working on. The other instances of SQL Server that use this service account will be able to remove the SPNs that are related to these instances the next time that you start these instances.
Dynamic SPNs eliminate problems if you change the TCP/IP port or the domain name for new installations of SQL Server, or for existing instances of SQL Server (though they are harder to diagnose). For more information, see SQL Server Clustered Server Warning.