RDS database connection still using NTLM

Marissa Van Opens 1 Reputation point
2021-11-24T15:24:21.27+00:00

Hi there,

We have a three node RDS cluster (Server 2016) that is connecting to our SQL cluster via computer account authentication. This connection is currently using NTLM for authentication but we'd really prefer to disable NTLM and leverage Kerberos for all of our authentication needs. Other database connections to the cluster are using Kerberos but not these and I'm not sure why.

When we started down this road there we needed up allow the SQL service account to register SPNs and once we did that most of the connections switched over to Kerberos but apparently not all.

Does anyone have any idea what I might be missing or a good article that can help me figure out why some database connections aren't using kerberos?

Thank you for your time and help.

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,815 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. CathyJi-MSFT 21,096 Reputation points Microsoft Vendor
    2021-11-25T07:00:30.257+00:00

    Hi @a3pl ,

    Internal connections and DAC(Dedicated Admin Connection), won't use the Kerberos. They will be connected using Shared memory and NTLM. If you connect to the SQL Server instance from the same host where SQL Server is installed then you may see connections using NTLM. Cross-domain connections require special configuration in order for Kerberos to work. Otherwise, connections will use NTLM.

    Suggest you starting from below blogs, they will help you better understand your issue.

    Using Kerberos Configuration Manager for SPNs Validation
    FAQs Around Kerberos and SQL Server

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    0 comments
  2. Marissa Van Opens 1 Reputation point
    2021-11-29T12:41:01.347+00:00

    Thank you for your assistance but I don't think that this is our issue. These are connections from our RDS farm (three hosts) that are using a computer account for logins instead of a service account, and my connection string is in this format:
    DRIVER=SQL Server Native Client 11.0;SERVER=<name of SQL server>;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;DATABASE=<name of database>

    Database connections using service accounts are using Kerberos to connect to our Database servers.

    The two differences between normal connections and the RDS connection are computer accounts for login and that it's connecting to an Always Online Availability cluster, although again we do have kerberos connections to the AOA cluster as well.

    0 comments