kerberos SQL service accounts
- From: "skip" <shofmann@xxxxxxx>
- Date: Wed, 25 Feb 2009 09:08:32 -0800
Hello all
The AD forest and domain are at windows 2003 native mode. The SQL DBA's are being asked to change all SQL service accounts from local system to a domain user account. My question is and if this is not the correct forum for this please politely let me know. Once the SQL service account is changed from local system to a domain user account does SQL start using kerberos authentication? Does the spn for the domain account get registerd in AD automatically? If i have a SQL cluster that has several SQL instance or virtual servers that are running on one of the pyhsical node's in the cluster, what spn gets registered in AD? I would think i would need to regsiter a SPN for the service account that is running on the SQL virtual server or instance and not the physical node?
Example physical node name is irv-idc-ms11 SQL virtual server running on physical node is irv-idc-vs11. Service account name is sqladmin. If i did a query on the service account name (sqladmin) using setspn then if this is correct the output from the command should look like
"MSSQLSvc/irv-idc-vs11"
Last question Delegation. If the SPN's are registered correctly for the service account why must i enable delegation on the service account in AD?
Many thanks for any guidance on this
.
- Follow-Ups:
- Re: kerberos SQL service accounts
- From: Joe Kaplan
- Re: kerberos SQL service accounts
- From: Joe Kaplan
- Re: kerberos SQL service accounts
- Prev by Date: Re: Group Policy Problem.
- Next by Date: Re: kerberos SQL service accounts
- Previous by thread: ADM files
- Next by thread: Re: kerberos SQL service accounts
- Index(es):
Relevant Pages
|
