Requirements for Microsoft SQL Server databases

Before attempting to add Microsoft SQL Server database accounts to the Zero Trust Privileged Access Service, you should keep the following requirements in mind:

  • You can only use the Privileged Access Service to manage passwords for local SQL Server Login database accounts that use SQL Server authentication.
  • You cannot rotate or manage expired passwords for managed accounts.
  • If you are using Windows authentication to connect to the SQL Server database, you should add domain accounts to the Privileged Access Service to manage those accounts.

Database accounts and clustering

The accounts used to communicate with databases fall into two major categories: administrative accounts and service accounts. Administrative accounts are used by the database administrator to connect to the database to perform administrative tasks, such as adding new databases or database users or managing database tables. Service accounts are used by application servers—such as Tomcat, JBoss, or IIS—to authenticate to the database before storing or retrieving service-specific information in the database. The Privileged Access Service supports password management for the administrative database accounts.

In addition, there are two types of authentication for database accounts in SQL Server:

  • Windows authentication
  • SQL Server authentication

You can use the Privileged Access Service to manage the password for both Windows authentication database accounts and SQL Server authentication database accounts for standalone SQL Server instances.

If you have a SQL Server cluster configured for high availability using automatic failover, the administrative database accounts you manage should be domain accounts that use Windows authentication domain to avoid the replication issues.

If the managed database account is a Windows domain account, passwords can be synchronized for SQL Server clusters that are configured to use failover clustered instances, database mirroring, AlwaysOn availability groups, log shipping, or any combination of these features.

If you use SQL Server authentication for the database account you want to manage, the SQL Server cluster must be configured to use failover clustered instances. For managed SQL Server database accounts, only failover clustered instances are supported because other high-availability features might result in replication delays and authentication failures.

For details about the versions of Microsoft SQL Server supported in the current release, see the release notes. For information about configuring clustering for SQL Server and clustering scenarios, see the Microsoft documentation.