Create a Microsoft SQL Server Machine
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure Akamai Connection
- Configure AWS Connection
- Configure Azure Key Vault Connection
-
- Workload Identity Federation Authentication
- Workload Identity Federation - Azure Identity Provider Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Workload Identity Federation Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Supported OIDC Claims
-
-
-
- Working with the Built-in CA
- Add AWS Public CA
- Add AWS Private CA
- Add DigiCert One Certificate Authority
- Add Entrust
- Add GlobalSign Atlas
- Add GlobalSign MSSL
- Add GoDaddy
- Add Google Cloud Private CA
- Add a HID PKIaaS CA
- Add Certificate Manager - Self-Hosted
- Set Up an OpenSSL Certificate Authority Connector
- Create a Sectigo Certificate Manager Certificate Authority
- Add Zero Touch PKI
- Set Up Certificate Expiration Notifications
- Using a Custom DNS Provider
-
-
-
-
- Create an F5 BIG-IP LTM Machine
- Create a Microsoft Azure Private Key Vault Machine
- Create a Microsoft Azure Application Registration Machine
- Create a Microsoft IIS Machine
- Create a Microsoft Windows (PowerShell) Machine
- Create a Microsoft SQL Server Machine
- Create a Common KeyStore Machine
- Create a Citrix ADC Machine
- Create an Imperva WAF Machine
- Create a VMware NSX Advanced Load Balancer (AVI) Machine
- Create an A10 Thunder ADC Machine
- Create a Cloudflare Machine
- Create Kemp Virtual LoadMaster Machine
- Create a Palo Alto Panorama Machine
- Create a Radware Alteon Machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
- Provision Certificates to Radware Alteon
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing Certificate Lifecycle Settings
- Reissuing Certificates in Next-Gen Trust Security
- Downloading Certificates, Certificate Chains, and Keystores
- Retiring, Recovering, and Deleting Certificates
- Finding Certificates in the Certificate Inventory
- Importing Certificates from a CA Using EJBCA
- Domain-Based Validation for External Emails
-
- Create a Workload Identity Management or Discovery Agent Built-in Account
- Create an OCI Registry Built-in Account
- Create a Certificate Manager - Self-Hosted Built-in Account
- Create a Scanafi Built-in Account
- Toggling a Built-in Account on or Off
- Editing Built-in Accounts
- Deleting Existing Built-in Accounts
- Renew Existing Built-in Accounts
- Troubleshooting
Create a Microsoft SQL Server Machine
Creating a machine enables Next-Gen Trust Security to connect to a Microsoft SQL Server host so certificates can be installed and managed. After creating the machine, you can provision certificates to it.
Before You Begin
Choose the most secure authentication method supported by your environment.
The following methods are listed from most to least secure:
- Kerberos authentication over HTTPS (recommended)
- Kerberos authentication over HTTP
- Basic authentication over HTTPS
You will also need:
- Windows Remote Management (WinRM) enabled on the target host
- Credentials with permissions to manage certificates on the SQL Server host
- The dbatools PowerShell module installed on the SQL Server host
- Supported Windows versions:
- Windows Server 2019
- Windows Server 2022
Ensure that the required Windows Remote Management (WinRM) ports are open from the Next-Gen Trust Security VSatellite machine to the target Windows Server. Firewalls or network security controls that block these ports will prevent certificate operations, discovery, or provisioning.
Required ports
| Purpose | Protocol | Port | When required |
|---|---|---|---|
| WinRM over HTTP | TCP | 5985 | When the machine uses WinRM over HTTP (for example, Kerberos over HTTP). |
| WinRM over HTTPS | TCP | 5986 | When the machine uses WinRM over HTTPS (for example, Kerberos over HTTPS or Basic Authentication over HTTPS). |
| Kerberos authentication | TCP and UDP | 88 | Required whenever Kerberos authentication is used. The Next-Gen Trust Security VSatellite must reach a domain controller’s Kerberos service. |
Important:
- Confirm that TCP 5985 and/or TCP 5986 are reachable if you're using the default WinRM listener configuration.
- When using Kerberos authentication, verify that TCP/UDP 88 is open between the VSatellite and your domain controller.
- If your environment uses custom WinRM ports, ensure those ports are reachable.
- Blocked ports frequently cause Test Access failures or authentication errors during machine creation or certificate provisioning.
PowerShell Module Requirement
The SQL Server machine uses the dbatools PowerShell module to manage certificates.
Install the module on the target host:
Install-Module -Name dbatools -Scope AllUsers
Configure the machine
From Authentication Type, select the method you want to use, then follow the corresponding steps.
Warning: Always use the most secure authentication method allowed by your environment. Less secure methods increase the risk of credential exposure.
Note:
- If a username in UPN format (for example, user@domain.com) fails, try using only the username (for example, user).
- Windows Management Framework (WMF) 5.1 or later is required.
Kerberos Authentication over HTTPS
Prerequisites
- The SQL Server host must already have a valid TLS server certificate installed for WinRM over HTTPS.
- The account used must have the required permissions on the target host.
- Enter the Microsoft SQL Server Hostname and WinRM Port.
- Enable Use TLS for WinRM.
- Enter the Domain Name, Key Distribution Center Address, and Service Principal Name.
- Select Enter Credentials or Select Credentials, then provide the required credentials.Warning: Remember to store your username and password securely when creating a new machine. For security reasons, you will not be able to modify the fields under the "Access" tab without these credentials. This ensures that only authorized individuals can modify these fields.
- Click Test Access, then click Create.
Kerberos Authentication over HTTP
Prerequisites
- The SQL Server host must allow WinRM over HTTP.
- The account used must have the required permissions on the target host.
- Enter the Microsoft SQL Server Hostname and WinRM Port.
- Leave Use TLS for WinRM disabled.
- Enter the Domain Name, Key Distribution Center Address, and Service Principal Name.
- Select Enter Credentials or Select Credentials, then provide the required credentials.Warning: Remember to store your username and password securely when creating a new machine. For security reasons, you will not be able to modify the fields under the "Access" tab without these credentials. This ensures that only authorized individuals can modify these fields.
- Click Test Access, then click Create.
Basic Authentication over HTTPS
Prerequisites
- The SQL Server host must already have a valid TLS server certificate installed for WinRM over HTTPS.
- The account used must have the required permissions on the target host.
- Enter the Microsoft SQL Server Hostname and WinRM Port.
- Enable Use TLS for WinRM.Warning: Disabling TLS sends credentials in plaintext and is not recommended.
- Select Enter Credentials or Select Credentials, then provide the required credentials.Warning: Remember to store your username and password securely when creating a new machine. For security reasons, you will not be able to modify the fields under the "Access" tab without these credentials. This ensures that only authorized individuals can modify these fields.
- Click Test Access, then click Create.
What's Next?
Return to Create a new machine to finish setting up your new machine by configuring Discovery and Provisioning scheduling.
For existing machines: