Hi have an SQL instance, running in Windows authentication. The server is a member of the domain. It is a fairly basic single forest/single domain setup.
I have an account called SQLMPMonitor, which is a member of a Domain Global Group, which is a member of a Domain Local Group (security model on the system). This DLG is a user within the SQL instance and has rights to log on etc. SPNs are registered and I've proved Kerberos works as I can log into the instance using SQLMPMonitor credentials. If I add the SQLMPMonitor account as a user within the instance, the SCOM login works.
When it's only a member of the group, I get failed logins with state 5 'userid not found for domain\SQLMPMonitor' or words to that effect. It seems it's not using Kerberos?
I have followed the SCOM MP guide to the letter and several other ones yet I can't get it to work.
What's odd is that SCOM seems to report on the state of the instances and DBs of the SQL server just fine yet the SQL log is littered with failed login attempts.
I will try using Service SID's according to Kevin Holman's blog later on or next week but I was just wondering why my scenario is failing. I presume it's due to the nested account.
I have an account called SQLMPMonitor, which is a member of a Domain Global Group, which is a member of a Domain Local Group (security model on the system). This DLG is a user within the SQL instance and has rights to log on etc. SPNs are registered and I've proved Kerberos works as I can log into the instance using SQLMPMonitor credentials. If I add the SQLMPMonitor account as a user within the instance, the SCOM login works.
When it's only a member of the group, I get failed logins with state 5 'userid not found for domain\SQLMPMonitor' or words to that effect. It seems it's not using Kerberos?
I have followed the SCOM MP guide to the letter and several other ones yet I can't get it to work.
What's odd is that SCOM seems to report on the state of the instances and DBs of the SQL server just fine yet the SQL log is littered with failed login attempts.
I will try using Service SID's according to Kevin Holman's blog later on or next week but I was just wondering why my scenario is failing. I presume it's due to the nested account.