Sql-server – how service sid operate under the covers

sql serversql-server-2008

This question is out of curiosity and it left me in confusion whether service account as any role to play in SQL Server startup and shutdown?

Can anybody explain how SQL Server 2008 Service Sids work and what is difference between Service SID and Service Account?

Little background :
From SQL Server 2008, I see the service sid's are added to the SQLServer Groups which gets created on the computer.
For example, I have installed SQL Server 2008 instance on my Desktop PC and when open Computer management and check the sql server groups for my newly installed instance,
I see that Service SID is added to the group.

Start -> Run -> compmgmt.msc

I used the below command at command prompt to view the SID. I see the same SID is getting added to the windows groups created by sql server instance.

sc showsid MSSQLSERVER

Now my actual question is, prior to SQL Server 2008, we used have domain account used as service account and this is one which gets added to the Groups which are created during SQL Server installation.
But from SQL Server 2008, it is the service SID which is being added to the Groups which gets created.
If the service SID is now assigned the necessary permissions, what is the need for the Service account then? Is is just a container for the service?

It makes even more interesting if we consider Windows Server 2008 and SQL Server 2008 clusters.
On Windows Server 2008 cluster, the cluster service runs as Local system and considering I am using service sids instead of domain group, how come WFCS is able to communicate with Active Directory to bring the CNO's (sql network name) online and offline.

Any comments on that? Basically I wanted to know how these SID's works under the covers and what is the use service account from SQL Server 2008 onwards?

Best Answer

Service SIDs aren't a SQL Server thing. It's a technic inside windows to isolate different services from another. In the basic example where sql server is using NetworkService as account, many other services could have access to the SQL Server or its files.

Service SIDs and domain accounts have another importang aspect: if you change the domain account, all ACL secured objects are still valid and don't have to be updated.

Related Solutions

Sql-server – How to obtain SIDs of Sql Server installed NT Service Accounts

From the WMI documentation, I couldn't find any way to directly obtain a service SID, probably because as far as I've seen, service SIDs aren't physical directory objects, and thus couldn't be queried except where they appear as part of ACLs. This would also explain why the values aren't persisted in the registry.

Having said that, the service SIDs definitely do not appear in Win32_SystemAccount. Using PowerShell on a sample machine, you can verify this by running Get-WmiObject -Query "SELECT * FROM Win32_SystemAccount".

Luckily, however, there are alternatives:

Per this TechNet blog post, the non-well-known portion of a service SID is generated by taking a SHA1 hash of the uppercase service name, and then splitting apart the results into five unsigned 4-byte numbers. The following code performs this computation and returns the SID as displayed in Windows:

DECLARE @serviceName nvarchar(128) = 'MSSQL$SQL2008R2DEV';

SELECT
    'S-1-5-80' +
        '-' + CONVERT(varchar(20), CONVERT(bigint, CONVERT(varbinary(4), sys.fn_varbintohexsubstring(0, a.BinSid, 17, 4), 2))) +
        '-' + CONVERT(varchar(20), CONVERT(bigint, CONVERT(varbinary(4), sys.fn_varbintohexsubstring(0, a.BinSid, 13, 4), 2))) +
        '-' + CONVERT(varchar(20), CONVERT(bigint, CONVERT(varbinary(4), sys.fn_varbintohexsubstring(0, a.BinSid, 9, 4), 2))) +
        '-' + CONVERT(varchar(20), CONVERT(bigint, CONVERT(varbinary(4), sys.fn_varbintohexsubstring(0, a.BinSid, 5, 4), 2))) +
        '-' + CONVERT(varchar(20), CONVERT(bigint, CONVERT(varbinary(4), sys.fn_varbintohexsubstring(0, a.BinSid, 1, 4), 2)))
    FROM
    (
        SELECT
            CONVERT(varbinary(20), REVERSE(HASHBYTES('SHA1', UPPER(@serviceName)))) AS BinSid
    ) a;

The binary SID can also be obtained by using the SUSER_SID function (with some extra processing to handle the fixed portion) in lieu of HASHBYTES. (Note that the raw binary SID must have its endianness reversed before conversion and output. Also, the @serviceName variable being nvarchar is important.)

If you have .NET available, doing the hash calculation is trivial. Here's the C# code to do it:

using System.Security.Cryptography;

...

string serviceName = "MSSQL$SQL2008R2DEV";

HashAlgorithm ha = HashAlgorithm.Create("SHA1");
byte[] hash = ha.ComputeHash(serviceName.ToUpper().SelectMany(c => BitConverter.GetBytes(c)).ToArray());

string sid = "S-1-5-80";

for (int i = 0; i < 5; i++)
    sid += "-" + BitConverter.ToUInt32(hash, i * 4);

I suspect the SIDs could be found using classes in the .NET System.DirectoryServices namespace, either by inspecting group membership (fragile), or by some other method. Unfortunately, the methods I tested to directly translate a principal name into a SID failed, so I'm not sure how SQL Server does it (PInvoke?). In any event, computing the hash isn't a big deal if .NET is available (in fairness, the code will be longer without the use of LINQ).
Capture the relevant part of the output of the sc utility as used below, or run this manually if you don't care about being able to automate the solution:
```
sc showsid MSSQL$SQL2008R2DEV
```

Sql-server – The Cluster service failed to bring clustered service or application ‘SQL Server (MSSQLSERVER)’ completely online or offline

This means the cluster network name (tcsdb) can't be registered with Active Directory at the moment. It could be that your newly primary node can't see a domain controller, or can't see a writeable domain controller, may have a network interface down, may be having routing problems, etc.

Best Answer

Related Solutions

Sql-server – How to obtain SIDs of Sql Server installed NT Service Accounts

Sql-server – The Cluster service failed to bring clustered service or application ‘SQL Server (MSSQLSERVER)’ completely online or offline

Related Question