Implement support for Kerberos constrained delegation in SQL Server 2019 on Linux

Applies to: SQL Server 2019 on Linux


This change implements theS4U2Self/S4U2Proxy protocol that uses the Generic Security Service (GSS) API on top of the MIT Kerberos library to allowfor Kerberosconstrained delegation (but *not* resourcebased constrained delegation). This functionality requires setting aprivileged Active Directory (AD) account through mssql-conf by executing the following on the SQLServer Linux host:
sudo/opt/mssql/bin/mssql-conf set network.privilegedadaccount mssql
and setting up constrained delegationagainst the SQL Server SPNs for any authentication protocol on the ADcontroller, i.e. if using Powershell commands:
Set-ADAccountControl -Identity mssql -TrustedToAuthForDelegation $true
Set-ADUser -Identity mssql -Add @{'msDS-AllowedToDelegateTo'=@('MSSQLSvc/netbiosname:1433', 'MSSQLSvc/machine_fqdn:1433')}
It also requires to changethe Kerberos settings on the SQL Server Linux host to generate forwardabletickets by default, i.e. in /etc/krb5.conf one should see:
 forwardable = true


This improvement is included in the following cumulative update for SQL Server:
About cumulative updates for SQL Server:
Each new cumulative update for SQL Server contains all the hotfixes and all the security fixes that were included with the previous cumulative update. Check out the latest cumulative updates for SQL Server:


Learn about the terminology that Microsoft uses to describe software updates.

Third-partyinformation disclaimer

The third-partyproducts that this article discusses are manufactured by companies that areindependent of Microsoft. Microsoft makes no warranty, implied or otherwise,about the performance or reliability of these products.