Maroli ICT

Thanks Kevin Chant (b|t)  for hosting this Tsql Tuesday.

You make it hard for me to answer this one. Especially since it is my first official post for a TSQL Tuesday.

As a Database Infrastructural engineer there are some behaviors which you want to change. I am focused on security and ease of working

I do not have many fantasies on SQL Server, but some improvements on the normal components would be nice to have.

When automating installations we embedded nice features like Group Managed Service Accounts (GMSA). One of the features of GMSA is that you can give rights to create Service Principle Names. Service Principle names are required to delegate your permissions through to other web services. Therefore the directory of all your accounts, Active Directory, grants you a Kerberos ticket to tell to all the services that you have the right to touch the data.

When we were building the SQL2016 package, we started to use GMSA accounts. We provisioned the systems with the appropriate credential. SPN creation did not work immediately, but after a certain time, we managed to get it fixed.

One thing did not work. Cleaning up SPN’s for dynamic ports which are created during the initial install, which is kinda weird. Normal SPN’s get removed when the servers is restarted. SPN’s are then recreated. Those initial dynamic SPN’s do not get removed.

This might sound strange, but it can be worse. All other components which use Service Accounts are able to use GMSA, but they do not create SPN’s automatically. If someone can tell me why this is, this might be helpful.  Especially of one keeps in mind that SPN’s and Kerberos tickets are created to prevent double hop issues within a computer domain.

If only this, and only this, could be resolved somehow by Microsoft, it would remove lots of concerns on database security….