Constrained Delegation

Victor 66 Reputation points
2022-02-11T03:20:31.297+00:00

Hello,

Trying to implement Constrained delegation for AD sql server service account. We did create SPN for the AD sql server service account (SQL2k19 version). No issues. Inside Active Directory Users and Computers, when I right click on the AD sql server service account, select Properties, select Delegation tab, I will be selecting Trust this user for delegation to specified services only and Kerberos only. When I am adding Users and Computers, I should be selecting MSSQLSvc service type which has SPNs created. My question is do I need to select the name of the concerned sql server where the AD sql server service account resides right?

Secondly, if there are windows failover cluster hosting 2 or more AlwaysOn nodes, on the MSSQLSvc service type Users and Computers field, do I need to include the FQDNs of all those sql server AlwaysOn nodes?

Will greatly appreciate your early response.
Thanks.
Vinaya Rao

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,654 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmeliaGu-MSFT 13,961 Reputation points Microsoft Vendor
    2022-02-14T07:32:01.56+00:00

    Hi Victor-1779,

    Thanks for your reply.
    Selecting Use any authentication protocol means some clients will use other authentication methods, such as NTLM or forms-based authentication.
    You can use Kerberos Configuration manager for SQL Server to check if there are any delegation issues. Please refer to this doc which might help.

    Best Regards.
    Amelia

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. AmeliaGu-MSFT 13,961 Reputation points Microsoft Vendor
    2022-02-11T09:03:45.703+00:00

    Hi Vitor-1779,

    My question is do I need to select the name of the concerned sql server where the AD sql server service account resides right?

    Yes, we need to select <FQDN>:<port> | <instancename> for your SQL Server by going to domain controller -> open active directory users and computers -> users -> right-click the SQL Server Service account in users folder -> Properties->delegation tab.

    if there are windows failover cluster hosting 2 or more AlwaysOn nodes, on the MSSQLSvc service type Users and Computers field, do I need to include the FQDNs of all those sql server AlwaysOn nodes?

    You can try to trust service account for delegation to alwayson listener FQDN.

    173448-image.png

    Regards,
    Amelia


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Victor 66 Reputation points
    2022-02-14T00:43:22.97+00:00

    Amelia,

    Thanks for the response. Sorry, one more question. Selecting the radio button "Use any authentication protocol" would mean anything other than Kerberos. Can you please give couple of examples of such protocols?
    Victor

    0 comments No comments