Running SSMS after AD account is disabled

  • Not everybody uses Kerberos tickets to handle SQL authentication from windows accounts.

    NTLM would block them a whole lot faster as authentication is done for each command. And there are many companies out there using NTLM still.



    --Mark Tassin
    MCITP - SQL Server DBA
    Proud member of the Anti-RBAR alliance.
    For help with Performance click this link[/url]
    For tips on how to post your problems[/url]

  • Nice question, thanks!

    What is more troubling for me is that if you expire and/or disable an AD account any SQL Agent job(s) setup to run under that account will continue to run until the AD account is deleted, or disabled in SQL Server, way beyond any Kerberos ticket expiration. So the thought that using AD makes security centrally managed isn't true. (The HelpDesk team can't disable SQL users by themselves unless they have access to SQL Server.)

  • this problem refers to not only SQL but also for example Outlook connections to Exchange - even with his/her AD account disabled the logged-in user is still able to keep send out and receive e-mail messages, until the kerberos ticket expires. I heard there is a command/utility to kill an individual kerberos ticket, can anybody remember what it is?

  • You were not explicit in your question. You used a phrase like "run SSMS and keep logging in using Windows authentication ...".

    "keep logging in " in this case did not specify a time limit, and hence could mean days if not weeks! That is why I chose the answer I did and obviously got it wrong!

    Kwex.

  • Thanks Tom for sharing this link.. I was searching this for some time

    ===========================================
    Better try and fail than not to try at all...

    Database Best Practices[/url]

    SQL Server Best Practices[/url]

Viewing 5 posts - 16 through 20 (of 20 total)

You must be logged in to reply to this topic. Login to reply