SSG Founder and Principal Consultant Randy Knight and Senior Consultant Dan Maenle are both presenting at the PASS Data Community Summit 2022, November 15-18. This is a hybrid event, with sessions in Seattle and online.
Randy will present twice. The first session is titled Kerberos, SPNs, and the Dreaded “Cannot Generate SSPI Context” Error.
Whether you’re a SysAdmin, DBA, Developer, or even an end user, or if you’ve been working with SQL Server for any length of time, you’ve likely seen the error “Cannot Generate SSPI Context” when trying to connect using Windows Integrated Authentication. It may be intermittent, affecting only certain users or computers, or it could be widespread. Either way it is not a particularly user-friendly or intuitive error. Additionally, too many applications default to standard authentication because it’s “easy” and has less moving parts and things to go wrong. However, it is also inherently insecure, particularly when care is not taken to store passwords in a secure location such as Azure Key Vault.
In this demo heavy session, we will dive into the internals of Active Directory Integrated Authentication, Kerberos, and how SQL Server uses it. We’ll look at Service Principal Names (SPNs), how they are created and managed, and what can go wrong. The Kerberos “double-hop” scenario will be explained, along with how to configure the environment to support multi-hop scenarios such as linked servers using impersonation.
Tools such as the Microsoft Kerberos Authentication Manager, setspn.exe, and DBATools Powershell commands will be used to troubleshoot and configure the environment. Attendees will walk away with a set of tools and scripts for working with Kerberos in SQL Server.
The second is a lightning talk, Secure Your SQL Server Services Using Group Managed Service Accounts.
Managing and rotating service account passwords is one of the more tedious and time-consuming DBA tasks. Consequently, it is often overlooked. Locking down the service account is an important piece of the overall security picture that needs to be addressed in every environment. Group Managed Service Accounts (gMSA) are special Active Directory Accounts that have a rotating password managed by Active Directory. Not only do you not need to rotate the password, you don’t even need to know it!
In this lightning talk, we will review the components needed to use gMSA’s and demonstrate the process to switch service accounts from normal domain accounts to gMSA’s.
Dan’s session is titled Introduction to SQL Audit and Audit Reports.
Do you need to know who is doing stuff in your database? Do you suffer long hours trying to find what is causing changes?
SQL Audit allows for you to track changes within SQL server. Either on the server level or the database level. You can now see who is making changes. Who does that unexpected update to your table…SQL Audit! Since SQL Server 2016 sp2+ you have access to database audit specifications on Standard edition. So, let’s leverage this data to a driving force for data compliance.
In this session I will go over how to build a simple SQL Audit, and how to then empower your SQL Audit into consumable reports which will be built to make the data useful for tracking purposes, using SQLAuditCentral.
This is to be a primer session but also give you enough to have a great start and get great insights into what your SQL server is doing, and how to move forward into greater insights into changes, of the who and the what. We will be discussing server level and database level audit specifications.