> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/rdm/knowledge-base/how-to-articles/configure-sql-server-for-protected-users-with-integrated-security.md). # Configure SQL Server for protected users with integrated security Here are the steps to configure your SQL Server to allow your ***Protected Users*** to connect to the Database using the Integrated Security authentication method. According to Microsoft ***Protected Users*** blocks the use of [NTLM hashes](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group#domain-controller-protections-for-protected-users) It is however possible to configure SQL Server to also use [Kerberos for Integrated Security](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections) The good news is that this is supported out-of-the-box by Remote Desktop Manager. For SQL Server to support Kerberos authentication, SPNs need to be created. By default, the service runs under accounts that lack the required permissions. We suspect you might have the following messages when SQL Server starts (you can see the logs in SSMS under ***Management SQL Server Logs***). ![](https://cdnweb.devolutions.net/docs/docs_en_kb_KB4657.png) You will need to configure the SQL Server service to run under ***Network Service*** as it has the [necessary permissions](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections?view=sql-server-ver15#Permissions) According to [this article](https://dba.stackexchange.com/questions/180064/what-should-my-spn-entries-look-like-for-each-sql-instance/180147#180147) it is also possible to grant the permissions to create SPNs to a service account. You will also need to change the account in SQL Server Configuration Manager.
However, on our server, SQL Server was still reporting that it was unable to register the SPNs. We used [Microsoft Kerberos Configuration Manager for SQL Server](https://www.microsoft.com/en-ca/download/details.aspx?id=39046) to fix the SPNs. It shows clickable buttons in the Action columns.
After restarting the SQL Server service, you should see “The SQL Server Network Interface library successfully registered the Service Principal Name (SPN) \[ **MSSQLSvc/vdownsrv-sql3.downhill.loc:1433** ] for the SQL Server service.” in the logs. At this point the connection should work again in Remote Desktop Manager. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.devolutions.net/rdm/knowledge-base/how-to-articles/configure-sql-server-for-protected-users-with-integrated-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.