0

There was an incident this week where one of our SQL Server instances was unexpectedly offline. I found the Windows Services that run the instance stopped and was unable to start them again due to the accounts used by the services being disabled. Allegedly those accounts had been disabled roughly three weeks ago.

The Windows server housing these services was restarted in the early morning that it was found to be down. I had last accessed that instance just a few hours before the reboot without issue. This leads me to believe that there is zero re-authentication that happens for credentials on a constantly running service. Is this true? And if not, what are the policies or defaults that control that behavior?

Everything I've been able to find searching online so far is regarding local authentication of a disabled account that happens when a device is not on the domain network. I just can't seem to find anything talking about disabled AD accounts used on services other than the standard troubleshooting steps for when a service won't start.

Improve this question

1 Answer 1

Reset to default
3

It depend on your service.

The account used for the service to start will get a kerberos ticket from the domain controller at the service startup. What the service do after with that ticket impact when the account error will happen.

For a SQL instance the issue is when the SQL instance is up and the authentification method is done by SQL, you might see the issue only later like in your case. The issue is if the service don't need to interact with other network ressource, it will do its own stuff locally without any issue, until you reboot or try to restart the service. (or if your SQL do Windows authentication)

A example from another product; like the Microsoft Exchange Topologie Active Directory service, that service poke the domain controller. it's is job. So yes in such case closing the account from what that service run will got a immediate impact.

It's best practice to use a service account, but to document them is really important. Disabling one such account should not be done if the service is still running.

Improve this answer
3
  • For 99% of use cases on that instance we use Windows Authentication. Am I correct in understanding that, at a minimum, SQL should not have been able to authenticate our connections because it would require SQL itself being re-authenticated to the domain controller? Or does the kerberos ticket count as being authenticated that whole time?
    – Logarr
    Sep 20 at 17:15
  • @Logarr Windows authentication for SQL Studio Manager, but for the client application it get more complex, as that part can depend too, as if you got an application X that read the SQL database, your clients might be authentication by windows, but by the application directly. (The application might use an SQL account to read the SQL, while the local client on the desktop use another method)
    – yagmoth555
    Sep 20 at 17:20
  • We use integrated security in our SQL connections from all of our applications. The applications in question are in IIS and run using other AD service accounts. The only exceptions that use SQL Authentication are some backup tools and emergency access.
    – Logarr
    Sep 20 at 18:02

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .