Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > Database Performance Analyzer (DPA) > DPA registration with Network Service Account

DPA registration with Network Service Account

Table of contents

Updated March 21, 2017

Overview

DPA 10.1 added the functionality to register SQL server with a Network Service Account. 

Note: As of version 10.1, this feature only works to the monitored instance connections not the connection to the DPA repository server. 

  • Users should be able to modify the connection information of such instances using the "Update DB Instance Connection" wizard (repoint) using Network Service account.
  • Mass Registration of SQL server instances using the Network Service Account (NSA).

This new functionality is disabled by default. User needs to ENABLE it in Options > Advanced Options (Support Options checkbox must be selected).

The parameter name is SQL_SERVER_COMP_ACC_AUTH_ENABLED.

 

Environment

DPA 10.1 and later

Steps

Configuration needed

  • Add the following user/login to the SQL server: *DOMAIN\<DPA_MACHINE_NAME>$*
    • *<DPA_MACHINE_NAME>* is the name of the machine where DPA is running.
    •  Needs to be done on all monitored SQL servers.
  • Set up the DPA service (Ignite PI Server) to run under *Network Service* account.
  • Make sure that the *Network Service* account has r/w rights for DPA installation directory and sub-directories.
  • *ntlmauth.dll* needs to be available in jre/bin directory, it might be distributed as a part of the embedded java but would need to be added manually for custom jre installations.
    • This dll library allows JTDS driver to impersonate into the user that was previously defined to run DPA service.
  • Modify DPA so that the Configuration Wizard allows SQL server connections to be defined without username and password and fully rely on impersonation.

 

Connection Info Update (Repoint)

  • When NSA auth is enabled, there is a new radio button on the Options > Update Connection Info page.

 

Mass Registration

When the Network Service Account authentication is enabled in Advanced options and user selects SQL Server as database type, a new dropdown menu is displayed on the Mass Registration page containing new available authentication type Computer Account. 

 

Diagnostic

  • The most of potential problems will be connected to the setting in the configuration section of this article.

  • Double check if the service runs using NSA user. This would be in services menu in Windows on the monitored server. The SQL server service for registration should be running under the account in use in.

  • When DPA is not displaying correctly options for Network Account AUTH_SCHEMA in COND table, there should be PASSWORD for standard authentication and SSO for Network Account authentication.

  • There is a SQL script to help users mass update already registered instances to use NSA auth instead of standard one. 

    •  Connect to the repository database with a SQL tool, and execute the following command:
      UPDATE COND SET AUTH_SCHEMA='SSO', PASSWORD=NULL,USERNAME='<USERNAME>'WHERE DB_TYPE='SQL Server' AND ID IN (...)
      <USERNAME> must be in the following format: DOMAIN/ 

      In the parenthesis (...), insert IDs from the COND table that belong to the database you are changing. 
      The following SQL statement can help you choose the correct ID: 
      SELECT ID, NAME, USERNAME, CONN_HOST FROM COND WHERE DB_TYPE='SQL Server'

 

Last modified
08:59, 21 Mar 2017

Tags

Classifications

Public