Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1092261%22%20slang%3D%22en-US%22%3EUpdated%20process%20of%20configuring%20AD%20integrated%20authentication%20for%20SQL%20Server%20on%20Linux%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1092261%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3ESQL%20Server%202017%20was%20the%20first%20version%20of%20SQL%20Server%20made%20available%20on%20Linux%20platform%20and%20we%20have%20continued%20our%20commitment%20with%20SQL%20Server%202019%20as%20well.%20Active%20Directory%20integrated%20authentication%20has%20been%20a%20cornerstone%20of%20authorization%20and%20security%20for%20SQL%20Server%20since%20beginning%20of%20the%20product.%20AD%20integrated%20authentication%20was%20also%20made%20available%20for%20SQL%20Server%202017%20on%20Linux.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWe%20received%20the%20feedback%20that%20users%20found%20configuration%20of%20AD%20integrated%20authentication%20on%20SQL%20Server%20on%20Linux%20effort%20intensive%20and%20error%20prone.%20Furthermore%2C%20there%20were%20two%20separate%20processes%20for%20using%20Managed%20Service%20Account%20(MSA)%20and%20User%20Principal%20Name%20(UPN)%20accounts%20which%20required%20slightly%20different%20options%20to%20be%20configured.%20There%20were%20additional%20challenges%20of%20not%20being%20able%20to%20automate%20it%20as%20it%20required%20manual%20intervention%20of%20password%20inputs.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWe%20also%20found%20that%20the%20tool%20used%20to%20configure%20the%20keytab%20entries%2C%20ktutil%2C%20did%20not%20configure%20the%20keytab%20entries%20with%20AES%20encryption%20cipher%20with%20correct%20salting%2C%20causing%20those%20entries%20to%20always%20fail%20AD%20authentication%20and%20fallback%20to%20RC4%20encryption%20cipher%20which%20is%20an%20older%20and%20weaker%20cipher.%20Overall%2C%20it%20was%20determined%20that%20experience%20should%20be%20much%20better%20and%20smoother%20than%20it%20has%20been%20so%20far.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETaking%20this%20feedback%20in%20the%20stride%2C%20the%20team%20worked%20diligently%20along%20with%20assistance%20from%20our%20partners%20in%20Linux%20OS%20community%20such%20as%20Red%20Hat%20identity%20team%20to%20build%20a%20new%20process%20of%20configuring%20AD%20integrated%20authentication%20for%20SQL%20Sever%20on%20Linux.%20The%20new%20process%20merges%20different%20approaches%20of%20using%20MSA%20and%20UPN%20into%20one.%20It%20has%20also%20reduced%20the%20number%20of%20steps%20required%20to%20configure%20AD%20authentication.%20It%20uses%20ktpass%20instead%20of%20ktutil%20to%20create%20correctly%20salted%20keytab%20entries%2C%20ensuring%20AES%20encryption%20cipher%20for%20AD%20auth%20works%20correctly.%20It%20also%20has%20eliminated%20the%20manual%20inputs%20from%20configuration%20process%2C%20opening%20it%20up%20for%20possibility%20of%20automation.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ERead%20about%20the%20updated%20process%20at%20following%20documentation%20page%20and%20let%20us%20know%20if%20this%20is%20helpful.%20Also%20please%20continue%20to%20provide%20feedback%20so%20we%20can%20learn%20from%20it%20and%20act%20to%20ensure%20users%20continue%20to%20have%20a%20great%20experience%20with%20SQL%20Server%20on%20Linux%20platform.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETutorial%3A%20Use%20Active%20Directory%20authentication%20with%20SQL%20Server%20on%20Linux%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Flinux%2Fsql-server-linux-active-directory-authentication%3Fview%3Dsql-server-linux-ver15%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Flinux%2Fsql-server-linux-active-directory-authentication%3Fview%3Dsql-server-linux-ver15%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EDylan%20Gray%20(Senior%20software%20engineer)%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EMitchell%20Sternke%20(Senior%20software%20engineer)%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EBen%20Ko%26nbsp%3B%20(Senior%20software%20engineer)%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EMike%20Habben%20(Principal%20software%20engineering%20manager)%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETejas%20Shah%20(Principal%20program%20manager)%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1092261%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EConfiguring%20AD%20integrated%20authentication%20for%20SQL%20Server%20on%20Linux%20has%20been%20simplified%20and%20made%20into%20a%20single%20consistent%20process.%20Read%20below%20on%20how%20it%20has%20been%20changed%20to%20make%20your%20experience%20better.%20%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1092261%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESQLServerTiger%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

SQL Server 2017 was the first version of SQL Server made available on Linux platform and we have continued our commitment with SQL Server 2019 as well. Active Directory integrated authentication has been a cornerstone of authorization and security for SQL Server since beginning of the product. AD integrated authentication was also made available for SQL Server 2017 on Linux.

 

We received the feedback that users found configuration of AD integrated authentication on SQL Server on Linux effort intensive and error prone. Furthermore, there were two separate processes for using Managed Service Account (MSA) and User Principal Name (UPN) accounts which required slightly different options to be configured. There were additional challenges of not being able to automate it as it required manual intervention of password inputs.

 

We also found that the tool used to configure the keytab entries, ktutil, did not configure the keytab entries with AES encryption cipher with correct salting, causing those entries to always fail AD authentication and fallback to RC4 encryption cipher which is an older and weaker cipher. Overall, it was determined that experience should be much better and smoother than it has been so far.

 

Taking this feedback in the stride, the team worked diligently along with assistance from our partners in Linux OS community such as Red Hat identity team to build a new process of configuring AD integrated authentication for SQL Sever on Linux. The new process merges different approaches of using MSA and UPN into one. It has also reduced the number of steps required to configure AD authentication. It uses ktpass instead of ktutil to create correctly salted keytab entries, ensuring AES encryption cipher for AD auth works correctly. It also has eliminated the manual inputs from configuration process, opening it up for possibility of automation.

 

Read about the updated process at following documentation page and let us know if this is helpful. Also please continue to provide feedback so we can learn from it and act to ensure users continue to have a great experience with SQL Server on Linux platform.

 

Tutorial: Use Active Directory authentication with SQL Server on Linux

https://docs.microsoft.com/en-us/sql/linux/sql-server-linux-active-directory-authentication?view=sql...

 

Dylan Gray (Senior software engineer)

Mitchell Sternke (Senior software engineer)

Ben Ko  (Senior software engineer)

Mike Habben (Principal software engineering manager)

Tejas Shah (Principal program manager)