RE: Windows Authentication in a NT domain vs in an Active Director

From: Kevin McDonnell [MSFT] (kevmc_at_online.microsoft.com)
Date: 02/26/05

  • Next message: John Bell: "Re: SQL Server Agent Jobs." 
    Date: Sat, 26 Feb 2005 00:25:59 GMT

    Responses inline:

    1. Does SPN exist for a Windows 2000 server or Windows XP machine in a
    Windows NT domain? How about in a Windows 2000 domain without Active
    Directory?

    --- Not in a Windows NT domain. SPN's will exist for the hostname for
    machine in AD.
    SPN's don't exist for SQL unless the service is running under localsystem.
    Which is not
    recommended. Only the Domain Admin has privleges to add a new SPN for SQL.

    Also, you can't add SPN's for a server with Dynamic ports because the port
    number is part of the SPN.
    The server must be using Static ports.

    2. How to use the setspn.exe to create and list SPN for an instance of SQL
    Server (e.g the server instance is PETER\TEST1, domain name is W2KDOMAIN,
    SQL
    Server service is using W2KDOMAIN\PETER to start the service)?

    --- Setspn -A MSSQLSvc/VirtualSQLServerNameHere.W2KDOMAIN:PortNumber Peter

    See the kb for example.
    319723 INF: SQL Server 2000 Kerberos support including SQL Server virtual
    http://support.microsoft.com/?id=319723

    3. Same as #2 except SQL Server service is using local system account to
    start the service.

    localsystem is not recommended for Standalone service accounts, nor
    Clustered Servers.
    It should be a domain account per the following article on Virtual SQL
    Server accounts.

    239885 How to change service accounts on a SQL virtual server
    http://support.microsoft.com/?id=239885

    Thanks,

    Kevin McDonnell
    Microsoft Corporation

    This posting is provided AS IS with no warranties, and confers no rights.

  • Next message: John Bell: "Re: SQL Server Agent Jobs."

    Relevant Pages

    • Re: New Windows Infrastructure
      ... vendor's application runs on windows with an SQL database and I will also need a web server for a separate module which will allow our customers to access account data online. ... I would think that if the app runs on windows, I do not need the citrix server. ... It makes sense to have separate DCs though, because let's say you want to upgrade your Active Directory in two weeks time, with separate DCs it's easy, but if you've got a bunch of apps installed it could be a nightmare. ...
      (microsoft.public.win2000.setup_deployment)
    • How can I avoid using SQL Authentication with the Office Web Parts?
      ... We have a machine running Windows 2003 Server, IIS 6, and Windows SharePoint ... We are using Office Web Parts on several Web ... Part pages to display data retrieved from a SQL Server (SQL 2000 SP3 running ...
      (microsoft.public.sharepoint.windowsservices)
    • How can I avoid using SQL Authentication with the Office Web Parts?
      ... We have a machine running Windows 2003 Server, IIS 6, and Windows SharePoint ... We are using Office Web Parts on several Web ... Part pages to display data retrieved from a SQL Server (SQL 2000 SP3 running ...
      (microsoft.public.inetserver.iis.security)
    • Re: Delegation problems
      ... There are no SPNs on the machine account. ... did you add an SPN to that service account in AD ... delegate from my web server to the SQL service on the DB server when I ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • How can I avoid using SQL Authentication with the Office Web Parts?
      ... We have a machine running Windows 2003 Server, IIS 6, and Windows SharePoint ... We are using Office Web Parts on several Web ... Part pages to display data retrieved from a SQL Server (SQL 2000 SP3 running ...
      (microsoft.public.sharepoint.portalserver.development)