Set up authentication for SQL Server

When using Microsoft SQL Server as the Deep Security Manager database, you must use Kerberos as the authentication protocol. You must configure the following components to use Kerberos:

You also need to make sure that system clocks are synchronized. See Synchronize system clocks.

Active Directory

  1. Ensure that Active Directory Domain Controller is installed.
  2. Open Server Manager and ensure that the following services are running:
    • DNS Service
    • Kerberos Key Distribution Service
  3. Ensure that the SQL Server computer has joined the domain.
  4. Create an Active Directory user for Deep Security Manager to use to connect with SQL Server. Configure the account so that the password never expires.
  5. To open ADSI Edit, type the following command in Command Prompt:
    ADSIEdit.msc
  6. Right-click the SQL Server computer and select Properties.
  7. Edit the servicePrincipalNames attribute and add the following strings, or ensure that existing strings use this format:
    • MSSQLSvc/<SQL Server fully qualified name>
    • MSSQLSvc/<SQL Server fully qualified name>:<Port>

The Deep Security Manager computer

The configuration steps differ for Windows and Linux computers.

Windows

  1. To ensure that the DNS forward lookup and reverse lookup services resolve to the Active Directory and MS SQL computers, type the following commands in Command Prompt:
    • nslookup <SQL Server IP address>
    • nslookup <Active Directory Controller IP address>
    • nslookup <SQL Server fully qualified domain name>
    • nslookup <Active Directory Controller fully qualified domain name>
  2. When you install Deep Security Manager, when you are specifying the database connection settings, specify the credentials of the user account that you created in Active Directory. In the Advanced options, specify the correct domain.

Linux

  1. Open the /etc/krb5.conf file in a text editor to configure Kerberos.
  2. Add the following text to the libdefaults section:

    default_realm = <DOMAIN>
    [realms]
    <DOMAIN> = {
    kdc = <ACTIVE_DIRECTORY_CONTROLLER_FQDN>
    admin_server = <ACTIVE_DIRECTORY_CONTROLLER_FQDN>
    }
    [domain_realm]
    .<DOMAIN FQDN> = <DOMAIN>
    <DOMAIN FQDN> = <DOMAIN>

  3. Save and close the file.
  4. To ensure that the DNS forward lookup and reverse lookup services resolve to the Active Directory and MS SQL computers, type the following commands in Terminal:
    • nslookup <SQL Server IP address>
    • nslookup <Active Directory Controller IP address>
    • nslookup <SQL Server fully qualified domain name>
    • nslookup <Active Directory Controller fully qualified domain name>

Microsoft SQL Server

  1. Add a Login for the Active Directory user that you created for Deep Security Manager (See https://msdn.microsoft.com/en-us/library/aa337562(v=sql.105).aspx):
    • Select Windows authentication.
    • For Server Roles, select dbcreator. (The public role should be selected by default.)
    • For User Mapping, map the db_owner role membership to the Deep Security Manager database.
  2. Ensure that the DNS forward lookup and reverse lookup services resolve to the SQL Server computer. Type the following commands in Command Prompt:
    • nslookup <SQL Server IP address>
    • nslookup <SQL Server fully qualified domain name>

Synchronize system clocks

Kerberos authentication requires that the system clocks of authenticating computers are within five minutes of the Active Directory system clock. Ensure that you synchronize the Active Directory and SQL Server system clocks.