Improvement

This change implements the S4U2Self/S4U2Proxy protocol that uses the Generic Security Service (GSS) API on top of the MIT Kerberos library to allow for Kerberos constrained delegation (but *not* resource based constrained delegation). This functionality requires setting a privileged Active Directory (AD) account through mssql-conf by executing the following on the SQL Server Linux host:

sudo /opt/mssql/bin/mssql-conf set network.privilegedadaccount mssql

and setting up constrained delegation against the SQL Server SPNs for any authentication protocol on the AD controller, i.e. if using Powershell commands:

Set-ADAccountControl -Identity mssql -TrustedToAuthForDelegation $true

Set-ADUser -Identity mssql -Add @{'msDS-AllowedToDelegateTo'=@('MSSQLSvc/netbiosname:1433', 'MSSQLSvc/machine_fqdn:1433')}

It also requires to change the Kerberos settings on the SQL Server Linux host to generate forwardable tickets by default, i.e. in /etc/krb5.conf one should see:

[libdefaults]

  forwardable = true

Resolution

This improvement is included in the following cumulative update for SQL Server:

About cumulative updates for SQL Server:

Each new cumulative update for SQL Server contains all the hotfixes and all the security fixes that were included with the previous cumulative update. Check out the latest cumulative updates for SQL Server:

References

Learn about the terminology that Microsoft uses to describe software updates.

Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.