While migrating from SQL authentication (user-password) to integrated security I ran into an unexpected combination of requirements.
- SQL clients are services running under a LOCALSYSTEM or NETWORKSERVICE account
- SQL clients use integrated security to connect to the local SQL Server
- The system is in an AD domain.
- Database connections must be successfully established even when network connectivity to the domain controller is down for hours or days at a time.
On the luckier side, the SQL clients and SQL Server (2005 SP4) always run on the same box.
The conclusion of reading, experiments done so far and a support call to MS seems to have been that I cannot meet all these requirements at the same time, regardless of whether Kerberos or NTLM is used.
On the other hand I see some references to cached credentials that are giving me hopes that it might be possible to somehow connect to the database using cached credentials, under some conditions, following a previous successful domain login (service startup, or previously established connection).
-
Is anyone successfully using cached domain credentials to connect to a local SQL Server from a service running under a domain account, during prolonged DC outages? How is that configured? What are the security implications?
-
Are the four requirements above really incompatible?
Best Answer
Service accounts can't make use of cached credentials. Only interactive users can use cached credentials.
As everything is running on the same server, create local Windows accounts and setup the services to run under those local Windows accounts. Local accounts have no requirement that Active Directory actually be online.