What Service Is Typically Used To Resolve A Fqdn?

SQL Server domain hallmark bug

If you experience problems connecting to the Microsoft SQL Server database when installing Deep Security Manager, follow the instructions below to troubleshoot the problem.

This topic'southward scope is limited to Windows domain authentication issues. If you are using SQL Server Hallmark instead, see Configure the database and review the configuration steps listed in that topic to troubleshoot any problems.

'Windows domain hallmark' goes by many names: Kerberos hallmark, domain authentication, Windows authentication, integrated authentication, and a few others. In this topic, the terms 'Kerberos' and 'Windows domain authentication' are used.

Stride i: Verify the host proper noun and domain

Pace 2: Verify the servicePrincipalName (SPN)

Stride iii: Verify the krb5.conf file (Linux simply)

Pace 4: Verify the system clock

Footstep 5: Verify the firewall

Step vi: Verify the dsm.properties file

Step 1: Verify the host name and domain

Y'all must make sure the Host name field is in FQDN format and resolvable past the DNS server:

1. When you run the Deep Security Manager installer and reach the database footstep, brand sure you lot specify the SQL server'due south FQDN. Don't input an IP address or NetBIOS host name.

   Instance of a valid host name: sqlserver.instance.com

2. Make sure the FQDN is registered and resolvable by the DNS server. To check if the correct host proper noun was configured in the DNS entry, use the nslookup command-line utility. This utility can be invoked from any computer on the domain. Enter the following command:

   nslookup <SQL Server FQDN>

   where <SQL_Server_FQDN> is replaced with the FQDN of the SQL server. If the utility tin resolve the provided FQDN successfully, and then the DNS entry is configured properly. If the FQDN cannot exist resolved, and then configure a DNS A record and contrary record that includes the FQDN.

3. Notwithstanding on the installer'south database page, click Advanced and brand sure you specify the SQL server's full domain name in the Domain field. The domain must include one or more dots ("."). Don't input a brusque domain name or NetBIOS proper noun.

   Example of a valid domain name: example.com

4. Check if the domain name is in FQDN format using the nslookup command-line utility. Enter the following command:

   nslookup <Domain_Name>

   where <Domain_Name> is replaced with the full domain name of the SQL server. If the utility can resolve the provided domain name, and so it is the full domain name.

   Database authentication using Microsoft workgroups is not supported by Deep Security Manager 10.two and later. For Windows domain authentication, you'll demand to take installed an Active Directory domain controller, configured a domain, and added the SQL server to this domain. If in that location is no Active Directory domain infrastructure in your surroundings, you must utilize SQL Server Hallmark instead. (To use SQL Server Authentication instead of Windows domain authentication, enter the Deep Security Director database owner's user proper name and password into the User name and Countersign fields on the Database page of the manager's installer. Do non input a domain. The omission of a domain name causes SQL Server Authentication to be used. For details, see Install the manager.)

Step 2: Verify the servicePrincipalName (SPN)

Yous must make sure the servicePrincipalName (SPN) is configured correctly in Active Directory.

For Microsoft SQL Server, the SPN is in this format:

MSSQLSvc/<SQL_Server_Endpoint_FQDN>

MSSQLSvc/<SQL_Server_Endpoint_FQDN>:<PORT>

To verify that the SPN is right, run through these tasks. At the end are some step-by-stride instructions for specific use cases, references to other documentation, and debugging tips.

Stride 2a: Identify the account (SID) running the SQL Server service

Step 2b: Observe the account in Active Directory

Footstep 2c: Identify which FQDN to utilize in the SPN 

Footstep 2nd: Identify whether you're using a default example or named instance

Case i: Ready the SPN under a local virtual business relationship

Case two: Fix the SPN nether a domain account

Case 3: Gear up the SPN under a Managed Service business relationship

Case 4: Set the SPN for a failover cluster

SPN references

SPN debugging tips

Pace 2a: Place the account (SID) running the SQL Server service

The SPN is configured inside the business relationship running the SQL Server service.

To identify which account is running the SQL Server service, utilize the services.msc utility. You see the SQL Server service announced, along with the associated account.

Footstep 2b: Find the account in Active Directory

Once you know the name of the account running the SQL Server service, you lot must locate it in Active Directory. The account can be in a few possible locations depending on whether it is a local virtual account, a domain account, or a Managed Service account. The table below outlines these possible locations. You can use the ADSI Editor (adsiedit.msc) on the Active Directory computer to look for the different folders in Active Directory and find the account.

Business relationship type	Name of account	Location of account in Active Directory	Description
Local virtual account	NT SERVICE\MSSQLSERVER (default case) NT SERVICE\MSSQL$InstanceName (named instance)	CN=Computer CN=<Computer_Name>	Services that run under virtual accounts access network resources by using the credentials of the computer account. The default standalone SQL Server service uses this account to start up.
Domain account	A domain user name, for example, SQLServerServiceUser	CN=Users CN=<User_Name>	Services started using this account admission the network resources using a domain user's credentials. SQL Server failover clusters require a domain business relationship to run the service. The standalone SQL Server service can also be configured to employ a domain account to beginning up.
Managed Service business relationship	A Managed Service account proper noun, for example SQLServerMSA	CN=Managed Service Business relationship CN=<Account_Name>	Introduced in Windows Server 2008 R2, the Managed Service Account resembles the domain account, simply tin be used to perform interactive logons. Both the standalone SQL Server service and the SQL Server cluster services tin can exist configured to use a Managed Service account to start up.

Pace 2c: Identify which FQDN to utilize in the SPN

For naming consistency, it is recommended that you set the SPN to the FQDN of the endpoint. The endpoint is the target to which the SQL Server customer (Deep Security Managing director) connects, and may exist an individual SQL Server or a cluster. Consult the table below for details on which FQDN to employ.

If the SQL Server installation type is...	Set the SPN to...
Standalone SQL Server	The FQDN of the host where the SQL Server is installed
Failover SQL Server cluster	The FQDN of the SQL Server cluster (individual SQL Server nodes are not the endpoint and should non be used in the FQDN)

Stride 2d: Identify whether you're using a default case or named instance

You lot must know whether the SQL Server was installed as a default instance or a named instance because the port number and instance name (if one was specified) need to become into the SPN.

• The default instance typically uses port 1433.
• A named instance uses a different port. To determine this port, consult this webpage.

Instance: If the FQDN endpoint of the SQL Server service is sqlserver.example.com and information technology is the default instance, then the SPN will be in the format:

MSSQLSvc/sqlserver.case.com

MSSQLSvc/sqlserver.case.com:1433

Some other case: If the FQDN endpoint of SQL Server service is sqlserver.instance.com and it is a named instance using port 51635 with an instance proper name of DEEPSECURITY, and so the SPN will be in the format:

MSSQLSvc/sqlserver.case.com:DEEPSECURITY

MSSQLSvc/sqlserver.example.com:51635

Case ane: Set the SPN under a local virtual account

To set the SPN for a standalone SQL Server that runs under a local virtual account:

1. On the Active Directory figurer, open ADSIEdit.msc. The ADSI Editor opens.
2. Locate the SQL Server host in CN=Computers.
3. Right-click the SQL Server host, and select Properties.
4. On the Aspect Editor tab, scroll to servicePrincipalNames and click the Edit button.
5. If the attribute values don't exist, add each one individually using the Add button. Click OK.

Case 2: Set the SPN under a domain account

The SPN configuration is similar to the local virtual business relationship configuration except that the SPN is fix in domain account (CN=Users) running the SQL Server service.

Case 3: Set the SPN under a Managed Service account

The SPN is fix in the Managed Service business relationship (CN=Managed Service Account) running the SQL Server service.

Case 4: Set the SPN for a failover cluster

An SQL Server failover cluster tin run nether a domain business relationship or a Managed Service business relationship. Refer to Case 2: Set the SPN under a domain business relationship or Case three: Set the SPN under a Managed Service account for instructions. Brand sure to set the SPN to the FQDN of the SQL cluster endpoint, not an private SQL node.

SPN references

Beneath are links to Microsoft's official documents almost SPN configurations:

Register a Service Principal Proper name for Kerberos Connections

How to: Enable Kerberos Authentication on a SQL Server Failover Cluster

SPN debugging tips

To verify that the correct SPN configuration was set, use the control line tool setspn to query for registered SPN entries. The command syntax is:

setspn -T <Full_Domain_Name> -F -Q MSSQLSvc/<SQL_Server_Endpoint_FQDN>*

where:

• <Full_Domain_Name> is replaced with the domain proper noun of your environment.
• <SQL_Server_Endpoint_FQDN> is replaced with the FQDN of SQL Server.

For case: Assume that a standalone SQL Server resides at SQL2012.dslab.com, and runs under a local virtual account in the domain dslab.com. Yous can use command below to query all registered SPNs that have a prefix of MSSQLSvc/SQL2012.dslab.com and see if information technology is correctly configured.

From the control upshot, you can then verify that the SPN has been set and registered in right LDAP path, and in the account that is running the SQL Server service (in this instance, it is the computer account).

Step 3: Verify the krb5.conf file (Linux only)

If yous're installing the manager on Linux, you must brand certain the /etc/krb5.conf exists and contains the correct domain and realm information:

1. Open or create the /etc/krb5.conf file in a text editor to configure Kerberos.
2. Provide the following information:

   [libdefaults]

       ...

       default_realm = <DOMAIN>

       ...

   [realms]

       <DOMAIN> = {

           kdc = <ACTIVE_DIRECTORY_CONTROLLER_FQDN>

           admin_server = <ACTIVE_DIRECTORY_CONTROLLER_FQDN>

       }

   [domain_realm]

       .<DOMAIN FQDN> = <DOMAIN>

       <DOMAIN FQDN> = <DOMAIN>

   where <DOMAIN>, <ACTIVE_DIRECTORY_CONTROLLER_FQDN> and <DOMAIN_FQDN> are replaced with your own values.

   Case file:

   [libdefaults]

       default_realm = EXAMPLE.COM

       default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc

       default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

       dns_lookup_kdc = truthful

       dns_lookup_realm = false

   [realms]

       Example.COM = {

           kdc = kerberos.example.com

           kdc = kerberos-1.example.com

           admin_server = kerberos.example.com

       }

   [domain_realm]

       .example.com = EXAMPLE.COM

       instance.com = EXAMPLE.COM

   [logging]

       kdc = SYSLOG:INFO

       admin_server = FILE=/var/kadm5.log

3. Save and shut the file.

Step 4: Verify the system clock

You must brand sure the arrangement clocks on the domain controller, SQL Server, and Deep Security Manager computer are synchronized. With Kerberos, the maximum allowable clock skew is five minutes by default.

Footstep 5: Verify the firewall

Y'all must brand sure the firewall is not blocking the SQL connection. A default SQL Server instance allows connections through port 1433, while a named SQL Server case uses a port that is selected at random. To find out which port to connect to, the SQL client (Deep Security Manager in this case) queries the bachelor named instances and finds the mapping port by issuing a lookup request to the SQL Server browser service. The SQL Server browser service runs on port 1434 (UDP). Verify that your firewall configuration allows port 1433 (if yous're using a default instance), or 1434 (if you're using a named example).

Step half dozen: Verify the dsm.properties file

Brand sure the dsm.properties file is configured correctly.

1. Open the dsm.properties file in a text editor. On Windows, the file is typically located in C:\Program Files\Tendency Micro\Deep Security Director\webclient\webapps\ROOT\WEB-INF.
2. Ensure that the file contains these lines:

   database.SqlServer.server=YOUR-SERVER.EXAMPLE.COM    //Include the domain name, which must utilize uppercase letters.

   database.SqlServer.trustServerCertificate=true            //This line is required when SQL server enables force encrypt.

   database.SqlServer.domain=EXAMPLE.COM                     //Domain name must apply capital characters.

   database.SqlServer.user=sqlUser@EXAMPLE.COM           //The username must include the domain name, and the domain name must use capital letters.

   database.SqlServer.integratedSecurity=true

   database.SqlServer.authenticationScheme=JavaKerberos

   database.directory=zip

   database.SqlServer.namedPipe=faux

3. Make whatsoever changes required and save the file.

Source: https://help.deepsecurity.trendmicro.com/20_0/on-premise/database-sql-server-domain-authentication.html

Posted by: begayeelbectern.blogspot.com

Share this post