This change implements the S4U2Self/S4U2Proxy protocol that uses the Generic Security Service (GSS) API on top of the MIT Kerberos library to allow for Kerberos constrained delegation (but *not* resource based constrained delegation). This functionality requires setting a privileged Active Directory (AD) account through mssql-conf by executing the following on the SQL Server Linux host:

sudo /opt/mssql/bin/mssql-conf set network.privilegedadaccount mssql

and setting up constrained delegation against the SQL Server SPNs for any authentication protocol on the AD controller, i.e. if using Powershell commands:

Set-ADAccountControl -Identity mssql -TrustedToAuthForDelegation $true

Set-ADUser -Identity mssql -Add @{'msDS-AllowedToDelegateTo'=@('MSSQLSvc/netbiosname:1433', 'MSSQLSvc/machine_fqdn:1433')}

It also requires to change the Kerberos settings on the SQL Server Linux host to generate forwardable tickets by default, i.e. in /etc/krb5.conf one should see:


  forwardable = true


This improvement is included in the following cumulative update for SQL Server:

About cumulative updates for SQL Server:

Each new cumulative update for SQL Server contains all the hotfixes and all the security fixes that were included with the previous cumulative update. Check out the latest cumulative updates for SQL Server:


Learn about the terminology that Microsoft uses to describe software updates.

Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!