Change server authentication mode

Applies to: SQL Server

This article describes how to change the server authentication mode in SQL Server by using SQL Server Management Studio or Transact-SQL. During installation, SQL Server Database Engine is set to either Windows Authentication mode or SQL Server and Windows Authentication mode. After installation, you can change the authentication mode at any time.

If Windows Authentication mode is selected during installation, the sa login is disabled and a password is assigned by setup. If you later change authentication mode to SQL Server and Windows Authentication mode, the sa login remains disabled. To use the sa login, use the ALTER LOGIN statement to enable the sa login and assign a new password. The sa login can only connect to the server by using SQL Server Authentication.

Remarks

The sa account is a well known SQL Server account, and is often targeted by malicious users. Don't enable the sa account unless your application requires it. It's important that you use a strong password for the sa login.

You can enable the sa login with SSMS or Transact-SQL.

SQL Server Management Studio

1. In Object Explorer, expand Security, expand Logins, right-click sa, and then select Properties.

2. On the General page, you might have to create and confirm a password for the sa login.

3. On the Status page, in the Login section, select Enabled, and then select OK.

Transact-SQL

The following example enables the sa login and sets a new password. Replace <enterStrongPasswordHere> with a strong password before you run it.

ALTER LOGIN sa ENABLE;
GO
ALTER LOGIN sa WITH PASSWORD = '<enterStrongPasswordHere>';
GO

Change authentication mode with SQL Server Management Studio

1. In SQL Server Management Studio (SSMS) Object Explorer, right-click the server, and then select Properties.

2. On the Security page, under Server authentication, select the new server authentication mode, and then select OK.

3. In the SQL Server Management Studio dialog box, select OK to acknowledge the requirement to restart SQL Server.

4. In Object Explorer, right-click your server, and then select Restart. If SQL Server Agent is running, it must also be restarted.

Examples

Caution

The following examples use an extended stored procedure to modify the server registry. Serious problems might occur if you modify the registry incorrectly. These problems might require you to reinstall the operating system. Microsoft can't guarantee that these problems can be resolved. Modify the registry at your own risk.

The permissions required to change the authentication mode are sysadmin or CONTROL SERVER.

A. Change authentication to Windows only

1. Change server authentication to Windows only:

   USE [master]
   GO
   EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE',
        N'Software\Microsoft\MSSQLServer\MSSQLServer',
        N'LoginMode', REG_DWORD, 1;
   GO
   

2. Disable the sa account:

   USE [master]
   GO
   
   ALTER LOGIN sa DISABLE;
   GO
   

B. Change authentication to mixed mode (Windows and SQL)

1. Enable the sa account and set a strong password:

   USE [master]
   GO
   
   ALTER LOGIN sa ENABLE;
   GO
   
   ALTER LOGIN sa WITH PASSWORD = '<enterStrongPasswordHere>';
   GO
   

2. Change server authentication to mixed mode:

   EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE',
       N'Software\Microsoft\MSSQLServer\MSSQLServer',
       N'LoginMode', REG_DWORD, 2;
   GO
   

Related content

• Strong Passwords
• Security Considerations for a SQL Server Installation
• ALTER LOGIN (Transact-SQL)
• Connect to SQL Server when system administrators are locked out