Microsoft SQL Server (Kerberos)

Last modified on July 12, 2023


A datasource consists of a database resource and the credentials used to access it. This guide describes how to add a Microsoft SQL Server (Kerberos) database as a datasource in the StrongDM Admin UI. This resource type only supports Windows authentication with Active Directory via Kerberos. For other options, see the Microsoft SQL Server (Azure AD) and Microsoft SQL Server resource types.


To add a datasource, make sure you have met the following prerequisites:

  • Properly configure an account for your database resource. If you choose to store credentials for the resource with StrongDM, have those credentials ready. When not using StrongDM, set up a Secret Store integration and be able to enter the location of the secrets required to access the resource.
  • The hostname or endpoint you enter for your resource must be accessible by at least one gateway or relay. To verify this, log in to the gateway or relay and use the nc -zv <YOUR_HOSTNAME> <YOUR_PORT> Netcat command. For example, use nc -zv 5432. If your gateway server can connect to this hostname, you can proceed.
  • Generate a krb conf file if you do not already have one
  • Generate a keytab file if you do not already have one, and ensure that it is Base64-encoded.

Add a Datasource

To add your new Microsoft SQL Server database as a StrongDM datasource, use the following steps.

  1. Log in to the Admin UI.

  2. Go to Infrastructure > Datasources.

  3. Click Add datasource.

  4. Select Microsoft SQL Server (Kerberos) as the Datasource Type and set other configuration properties for your new database resource.

    Add Microsoft SQL Server (Kerberos) Datasource
    Add Microsoft SQL Server (Kerberos) Datasource
  5. Complete all required fields.

  6. Click Create to save the resource.

  7. Click the resource name to view status, diagnostic information, and setting details.

Resource properties

Configuration properties are visible when you add a datasource or when you click to view its settings. The following table describes the settings available for your Microsoft SQL Server database.

Display NameRequiredMeaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)
Datasource TypeRequiredSelect Microsoft SQL Server (Kerberos)
HostnameRequiredHostname for your Microsoft SQL Server database resource; must be accessible to a gateway or relay
PortRequiredPort to use when connecting to your Microsoft SQL Server database; default port value is 1433
Port OverrideRead onlyAutomatically generated with a value between 1024-59999 as long as that port is not used by another resource; preferred port can be modified later under Settings > Port Overrides
DatabaseRequiredDatabase name you want to connect to using this datasource
Secret StoreOptionalCredential store location with the default set to Strong Vault; learn more about Secret Store options
UsernameRequiredUsername to utilize when connecting to this datasource; displays when Secret Store integration is not configured for your organization or when Strong Vault serves as the Secret Store type
Kerberos KeytabRequiredFile that you generate that stores long-term keys and is used to obtain keys for the client (Base64-encoded). Should contain an entry with the principal name in the format<YOUR_USERNAME>@<YOUR_REALM> and a key version number with which to authenticate.
Kerberos ConfigurationRequiredFile that you generate (krb5.conf) that contains Kerberos configuration information (Base64-encoded). It should specify the Active Directory Server (KDC) for the configured realm.
Server SPNRequiredService Principal Name (SPN) for the Microsoft SQL Server instance in Active Directory in the format MSSQLSvc/<YOUR_SERVER>:<YOUR_PORT> (example: MSSQLSvc/
RealmRequiredRealm (domain) from the Kerberos Configuration file to which the configured username belongs, in the format AD.EXAMPLE.COM
SchemaOptionalName of the schema that should be used if the user belongs to a particular schema
Override Default DatabaseOptionalBy default, StrongDM limits all connections to the configured database. Uncheck the box to disable this option. If this option is deselected, the value entered in the Database field is only used for healthchecks, not for user connections. When accessing the database via StrongDM, users need to explicitly pass the database name they wish to connect to in the connection string. If they do not, the value of the Username field is passed in as the database name. This is the default behavior of the database type.
Resource TagsOptionalDatasource tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)

Secret Store options

By default, datasource credentials are stored in Strong Vault. However, these credentials can also be saved in a third-party secrets management tool.

Options other than Strong Vault appear in the Secret Store dropdown if they are created under Network > Secret Stores. When you select another Secret Store type, its unique properties display. Instead of the normal Username, Kerberos Keytab, Kerberos Configuration, Realm, and Server SPN fields, you will see versions of them that indicate that you should enter a path. This is the path to where the secret is stored in your Secret Store location (for example, path/to/credential?key=optionalKeyName where key argument is optional).

For more details, see Configure Secret Store Integrations.

Resource status

After a resource is created, the Admin UI displays that resource as unhealthy until the health checks run successfully. When the resource is ready, the Health icon indicates a positive, green status.

Datasource Ready
Datasource Ready

When the resource does not display a positive status, click the resource name to go to the Diagnostics tab and check for errors.

If any errors occur, please copy them into an email and send them to

Tips for Server Setup

  • Ensure that TCP connections are enabled on the server.
  • Ensure that the correct AD user has been added to the logins for the database.