How to Test Trace Flag 3625

UPDATED Jan 4, 2024 – Several people had mentioned they could not get the example code to work. This was because I chose to overflow a text column which only outputs the detailed error messages for SQL Server 2017 and above. I have since updated the code to use a numeric value which has been verified to work on SQL Server 2012 through 2022. Recently, one of my customers considered enabling Trace Flag 3625 on one of their SQL Servers, but they wanted a way to quickly test its functionality beforehand. For those of you that are unfamiliar with that...

Continue reading...

Get Certificate Details for SQL Encryption In-Transit Using PowerShell – UPDATED

In a previous blog post, I showed you how to use PowerShell to retrieve the details of the certificate being used for encryption-in-transit, aka TLS encryption. I have received a lot of feedback about that script and one of the most common requests was how to run it remotely. I have finally modified the script to do just that. The previous version required you to run it locally on a server. It would return the certificate information for each SQL instance that it detected. The new version can be run remotely, but it will expect you to pass in a...

Continue reading...

Create Service Principal Names Along with a Managed Service Account

In a few previous articles, I have talked a lot about Managed Service Accounts (MSA) and Service Principal Names (SPN) and given examples of managing the separately. As a DBA prepping for a new SQL Server installation, you most likely already know the MSA account name(s) and what is needed to create the associated SPN, so why not create them at the same time? This example uses the PowerShell cmdlet New-ADServiceAccount to create both in the same command. The ServicePrincipalNames parameter can accept an array of strings, so just specify each SPN separated by a comma. We can even run...

Continue reading...

How to Logon Interactively with a Group Managed Service Account

Managed Service Accounts (MSA) are intended to run as a service and not to be used by an end user to logon interactively; however, there are some cases where it is necessary for troubleshooting. From the Start Menu, if you right click on the PowerShell icon, select More and then click on “Run as a different user”, it will pop up a credential box. Enter in the gMSA account name and click OK. You will immediately get an error. This is because Active Directly manages the account for you, so we have no way of knowing what the password is...

Continue reading...

Setup Resource-Based Kerberos Constrained Delegation for Group Managed Service Accounts

In my previous post, I discussed how to setup Kerberos constrained delegation and a limitation of using that method. This post will discuss how we can used resource-based Kerberos constrained delegation to do the same thing. Resource-based KCD was introduced in Windows Server 2012, and is defined as… Windows Server 2012 and later gives service administrators the ability to configure constrained delegation for their service. This model is known as resource-based KCD. With this approach, the back-end service administrator can allow or deny specific front-end services from using KCD. Kerberos Constrained Delegation Overview | Microsoft Docs Our environment will be...

Continue reading...