Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

Ryan Adams

Ryan Adams has worked for Verizon for 15 years. His primary focus is the SQL Server Engine, high availability, and disaster recovery. Previously he was a Senior Active Directory Architect and designed the company's worldwide Active Directory infrastructure. He serves on the Board of Directors for the North Texas SQL Server User Group and is President of the PASS Performance Virtual Chapter. He also serves as a Regional Mentor for PASS and holds the following certifications: MCP MCSA MCSE MCDBA MCTS MCITP.

Configure Kerberos for SQL with Virtual Accounts

At a conference recently I had someone ask how they would configure Kerberos for accounts that look like “NT Service\MSSQLServer” or “NT Service\MSSQL$MyInstance”.  Please note that these are NOT the built-in system accounts, even though they look similar.  The system accounts are “Local System”, “Local Service”, and “Network Service”.  The “NT Service” accounts are virtual accounts that were released in Windows 7 and Windows Server 2008 R2.  If you are familiar with Managed Service Accounts and Group Managed Service Accounts these virtual accounts are very similar but local.  In fact they are sometimes referred to as Managed Local Accounts.

If you are using one of these accounts, which is now the default if you do not specify a domain account during SQL setup, then how do you configure your SQL Server for Kerberos authentication?  The answer is quite simple.  You start using domain accounts.  Seriously, you should be using domain accounts and using separate accounts for every SQL Server.  Okay so that’s not the answer you were looking for, so if you can’t change over to domain accounts for some reason then here’s the answer…

You place your SPNs on the computer object account for the server.  By default, computer object accounts have the necessary permissions to manage their own SPNs.  You shouldn’t actually need to register SPNs when using these accounts and your SQL Server should already be authenticating with Kerberos.  If that is not the case then you will need to register the SPNs yourself or check the permissions on the computer object account in Active Directory.

Comments

Leave a comment on the original post [www.ryanjadams.com, opens in a new window]

Loading comments...