Connecting from VA to MS SQL server without using local account

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

:bangbang: Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.

Please consider addressing the following when creating your topic:

  • What have you tried? Local login works (can’t use in higher environments)
  • What errors did you face (share screenshots)? No errors, just need recommendation / step to connect some other way.
  • Share the details of your efforts (code / search query, workflow json etc.)?
  • What is the result you are getting and what were you expecting? Steps to connect other that using local MS SQL server account.

We were able to connect from our VA’s to a MS SQL Server in our DEV environment. Unfortunately, a local account on the MS SQL Server is NOT allowed in our higher environments. As such, we need to configure our VA’s to connect to our MS SQL Server some other way. Please provide detailed steps on how to connect from our VA’s that will NOT be overwritten with the next VA update.

I see a similar post but no clear path forward: https://developer.sailpoint.com/discuss/t/identitynow-jdbc-connector-with-authentication-via-active-directory-account/17591/8

2

I never tried it through ISC but with my knowledge atleast you need a Mixed Mode authentication setup in SQL Server to allow Windows service account to access the DB and it could avoid the local SQL server user. Please look at here Choose an Authentication Mode - SQL Server | Microsoft Learn and it requires a change in MS SQL server setup.

3

Thanks Suresh, that is what our DBA’s are trying to avoid—change the configuration of the MS Server setup to accommodate ISC / local logins.

Can I configure our VA’s to login to our MS SQL Servers using Kerboros? How? Steps?

Will my settings get overwritten with the next VA update?

4

I assume you may already checked the documentation, anyway refer here Windows Authentication and Kerberos to get the detail steps. Also refer the post integrated with Kerberos ISC/MSSQL/Kerberos integration [unable to obtain principal name for authentication] which could help you to proceed further.

VA will not overwrite your config unless you make any changes in their core services and it may lead to VA crash.

5

The links you provided led me to a fabulous article (snippet from his post below):

I have also created SPN for the windows service account as stated in this Kerberos Authentication Setup Checklist (thanks @nhassan )

I am using this article to build a Kerberos connection from our VA’s to our databases.

Thanks,

**CW

1 Like