April 25, 2011 at 12:09 pm
Not everybody uses Kerberos tickets to handle SQL authentication from windows accounts.
NTLM would block them a whole lot faster as authentication is done for each command. And there are many companies out there using NTLM still.
April 26, 2011 at 3:52 pm
Nice question, thanks!
What is more troubling for me is that if you expire and/or disable an AD account any SQL Agent job(s) setup to run under that account will continue to run until the AD account is deleted, or disabled in SQL Server, way beyond any Kerberos ticket expiration. So the thought that using AD makes security centrally managed isn't true. (The HelpDesk team can't disable SQL users by themselves unless they have access to SQL Server.)
April 27, 2011 at 3:35 am
this problem refers to not only SQL but also for example Outlook connections to Exchange - even with his/her AD account disabled the logged-in user is still able to keep send out and receive e-mail messages, until the kerberos ticket expires. I heard there is a command/utility to kill an individual kerberos ticket, can anybody remember what it is?
May 5, 2011 at 3:17 am
You were not explicit in your question. You used a phrase like "run SSMS and keep logging in using Windows authentication ...".
"keep logging in " in this case did not specify a time limit, and hence could mean days if not weeks! That is why I chose the answer I did and obviously got it wrong!
Kwex.
September 1, 2011 at 8:36 pm
Viewing 5 posts - 16 through 19 (of 19 total)
You must be logged in to reply to this topic. Login to reply