Skip to main content

SQL Server

Description

The SQL Server connector connects to a Microsoft SQL Server instance via JDBC and discovers server-level logins, role memberships, and database-level principals. It identifies privileged logins such as members of sysadmin and other fixed server roles.

Both SQL Server Authentication (username + password) and Windows/Integrated Authentication are supported. Integrated Authentication uses the JDBC driver's pure-Java Kerberos implementation (authenticationScheme=JavaKerberos) rather than the native mssql-jdbc_auth-<version>.dll — it works cross-platform, including on Linux On-Premise Agent hosts, and authenticates directly with the supplied principal and password (no pre-existing Kerberos ticket cache or keytab needed). It does require a valid krb5.conf on the host running the scan, pointing at the correct realm/KDC.

System Type Classification

FieldValue
System TypeInfrastructure
Default Scan Priority500

Version Support

OrbisID EditionSupported
CommunityNo
ProYes
EnterpriseYes

SQL Server scanning requires a Pro or Enterprise licence.

Supported Protocols

ProtocolPortNotes
JDBC (TDS)1433 TCPStandard SQL Server port; configurable per instance

What OrbisID Discovers

DataSource
Server logins (SQL logins and individual Windows logins)sys.server_principals
Windows/AD group loginssys.server_principals (discovered as Entitlements, not Accounts — see below)
Server role membershipssys.server_role_members
Fixed server rolessysadmin, securityadmin, serveradmin, setupadmin, processadmin, diskadmin, dbcreator, bulkadmin
Login status (enabled/disabled)is_disabled column
Login type (SQL login vs Windows login)type_desc column

Windows/AD Group Logins ("Shadow Groups")

A SQL Server login can be granted directly to a Windows local group (e.g. BUILTIN\Administrators) or an AD domain group (e.g. EXAMPLE\SQL_Admins), rather than to an individual account. SQL Server has no visibility into who is actually a member of that group — it only knows the group can log in and which server roles it holds. These group logins are discovered as their own Entitlement (type SQL_SERVER_WINDOWS_GROUP, tagged with a scope attribute of LOCAL or DOMAIN) rather than as an Account, so a group's server-role membership shows up as a proper child-group relationship (e.g. BUILTIN\Administratorssysadmin) instead of being misrepresented as an individual privileged user.

Cross-system resolution: if the real group is also discoverable elsewhere in OrbisID, the shadow group login is automatically linked to it after each scan, so the real account holders show up with this SQL Server login as one of their entitlements:

  • DOMAIN-scoped groups (e.g. EXAMPLE\SQL_Admins) resolve against an Active Directory Target System matching that domain (by NetBIOS name or FQDN) — including accounts that hold the privilege through nested AD groups.
  • LOCAL-scoped groups (e.g. BUILTIN\Administrators, NT AUTHORITY\..., NT SERVICE\...) resolve against a Windows Target System that shares the same hostname or IP address as this SQL Server system — i.e. add the machine SQL Server is running on as its own Windows Target System to get this link. If no matching AD or Windows system exists (or it hasn't been scanned yet), the reference simply stays unresolved rather than guessing.

Connection Requirements

Credential Requirements

The credential must be a SQL Server login or a Windows/AD account with at least the following server-level permissions:

PermissionPurpose
VIEW SERVER STATERead sys.server_principals and role memberships
VIEW ANY DATABASE(Optional) Extend discovery to database-level principals

Recommended (SQL Server Authentication): Create a dedicated SQL login for OrbisID with minimal permissions:

-- Create a dedicated login
CREATE LOGIN orbisid_scanner WITH PASSWORD = '<strong-password>';

-- Grant minimum required permissions
GRANT VIEW SERVER STATE TO orbisid_scanner;
GRANT VIEW ANY DATABASE TO orbisid_scanner;

Windows/Integrated Authentication: Create (or reuse) an AD account, then grant it a SQL Server login mapped to that account and the same permissions:

-- Map an existing AD account to a SQL Server login
CREATE LOGIN [EXAMPLE\orbisid_scanner] FROM WINDOWS;

GRANT VIEW SERVER STATE TO [EXAMPLE\orbisid_scanner];
GRANT VIEW ANY DATABASE TO [EXAMPLE\orbisid_scanner];

Credential Mapping (Windows/Integrated Authentication)

OrbisID FieldValue
credential.usernameThe plain Kerberos principal — no DOMAIN\ prefix (e.g. orbisid_scanner, not EXAMPLE\orbisid_scanner)
credential.passwordThe account's password
credential.domainThe Kerberos realm, typically the AD domain in upper case (e.g. EXAMPLE.COM)

System Attributes

AttributeRequiredDefaultDescription
sqlServerAuthTypeNoSQLSQL for SQL Server Authentication, or WINDOWS for Windows/Integrated Authentication

Network Requirements

RequirementDetail
SQL Server Browser serviceRequired if using named instances
TCP/IP protocol enabledMust be enabled in SQL Server Configuration Manager — disabled by default on SQL Server Express/Developer editions
Port 1433 accessibleOr the custom port for the instance
SQL Server AuthenticationFor SQL logins, the instance must be in Mixed Mode (SQL Server and Windows Authentication mode) — Windows-Authentication-only instances reject every SQL login regardless of credentials
Kerberos configuration (Windows/Integrated Authentication only)The On-Premise Agent (or OrbisID server) host needs a krb5.conf pointing at the correct realm/KDC, and the SQL Server service account needs a registered SPN (setspn -L <service account>)

Configuration Steps

  1. Navigate to Systems in the sidebar
  2. Click Add System
  3. Fill in the fields:
FieldValue
System Name (General tab)Descriptive name (e.g., sql-prod-01)
IP Address / Hostname (Connection tab)SQL Server hostname or IP
Port1433 (or custom port)
OS TypeSQL Server
System TypeInfrastructure (auto-selected)
Database NameName of the database to connect to (e.g., master)
CredentialSQL login or Windows/AD account with required permissions
  1. If using Windows/Integrated Authentication, set Authentication Type to Windows/Integrated Authentication in the Connection Attributes section (defaults to SQL Server Authentication)
  2. Click Test Connection to verify connectivity and authentication
  3. Click Save
Database Name

The Database Name field specifies the initial connection database. The scanner reads server-level data from system views (sys.*), so master is typically appropriate.

Troubleshooting

SymptomLikely CauseResolution
Both SQL and Windows authentication fail identically against the same instanceSomething is failing before authentication is even attempted — most likely TCP/IP disabled or a TLS/encryption handshake issue, not the credentialVerify TCP/IP is enabled in SQL Server Configuration Manager (disabled by default on Express/Developer editions) and port 1433 is reachable; the connector always requests encrypt=true
SQL Server Authentication fails with Login failed for user 'X'. Reason: An attempt to login using SQL authentication failed. Server is configured to allow only Windows authentication.The instance is in Windows-Authentication-only modeSwitch the instance to Mixed Mode (SQL Server and Windows Authentication mode) in SQL Server settings, or use Windows/Integrated Authentication instead
Connection test fails with Login failed (SQL Server Authentication)Invalid credentials or SQL auth disabledVerify login exists and SQL Server is in mixed auth mode
Windows/Integrated Authentication fails with a GSSException / Kerberos errorMissing or misconfigured krb5.conf, wrong principal/password, or the SQL Server service has no registered SPNVerify krb5.conf on the agent host points at the correct realm/KDC; confirm the principal and password; run setspn -L <SQL service account> to confirm an MSSQLSvc/... SPN is registered
Windows/Integrated Authentication fails with Login failedThe AD account authenticated successfully via Kerberos but has no SQL Server login mapped to itRun CREATE LOGIN [DOMAIN\user] FROM WINDOWS; and grant it the required permissions
Connection test fails with Connection refusedPort blocked or TCP/IP disabledCheck SQL Server Configuration Manager — enable TCP/IP and verify port 1433
Named instance not foundSQL Server Browser not runningStart the SQL Server Browser service or specify the port explicitly
Scan succeeds but no roles foundInsufficient permissionsGrant VIEW SERVER STATE to the scanning login
Windows logins not discoveredN/A — Windows logins are always includedWindows logins and groups are discovered from sys.server_principals regardless of which authentication type OrbisID connects with; ensure WINDOWS_LOGIN/WINDOWS_GROUP accounts appear there