Authenticating with Active Directory
Published 21 October 2021
By default, users log in to SQL Monitor using the passwords set by the administrator.
Alternatively, administrators can set SQL Monitor to authenticate users with their Active Directory credentials. SQL Monitor will use the Base Monitor service account credential to query Active Directory. The Base Monitor service account details are stored in the Windows credentials store on the machine where the monitoring service is installed.
We recommend configuring authentication against Active Directory using OpenID Connect rather than the native integration described in this article.
Using Active Directory, administrators can restrict which servers users can access.
For more information about Active Directory, see: So What Is Active Directory? in the MSDN documentation.
For a quick demo of using AD authentication and adding SQL Monitor users, see the Authentication video on Redgate University.
Switching to Active Directory authentication
Only administrators can switch to Active Directory authentication.
- In the Configuration tab, under Application options, click Authentication settings:
- Select Active Directory (via LDAP):
- Enter the domain name.
- Enter the base DN (optional). For example: ou=DBA,dc=domain,dc=com.
Under Service account, you can use the "Base Monitor Service account" to query Active Directory. This was introduced in 12.1.7. If you're running an older version (or a different account is preferred, chose "Specify a windows account"), enter the username and password for this account. SQL Monitor stores the service account login details and uses them to query Active Directory.
To use a GMSA account to query AD, you need to run the base monitor as the GMSA account, then select "Base Monitor Service account".
If the service account password changes or the account is deleted, SQL Monitor won't be able to authorize users. If this happens, you'll need to update the service account details in the SQL Monitor authentication settings.
To avoid this, you might want to create a new account that's unlikely to change.
You can optionally test the connection from here.
Add an administrator user or group (This must be an existing Active Directory user or group.):
SQL Monitor supports security groups, but not distribution groups. For more information on group types in Active Directory, see Group types: Active Directory (TechNet).
We recommend you create an administrator group and specify this as the administrator account. This means you can add more users to the administrator group in in Active Directory instead of configuring new users in SQL Monitor.
- Click Save settings.
SQL Monitor logs you and all other users out. - Log in to SQL Monitor with your domain credentials.
Adding additional Active Directory domain configurations
Additional domains can be added to SQL Monitor in order to allow users from more than one Active Directory domain. Domains with two-way trust should work implicitly, but other types of trust or non-trusted domains will need to have a service account provided in order to function.
- Select Add domain to add an additional Active Directory domain to SQL Monitor.
- Enter the Domain name, Base DN (optional), Service account Username and Password.
- Optionally test the connection.
- Click Save settings and the new domain will be added to SQL Monitor.
One account per Active Directory domain will be added to the Windows Credential Manager. These accounts will have the name formatted SQL_Monitor_AD_ServiceAccount_<Domain> (where <Domain> is the name of the domain). Additionally, an account named SQL_Monitor_Installer_Account will be created when you choose to save credentials during installation.
Switching from Active Directory authentication to default authentication
Only administrators can switch from Active Directory authentication to default authentication.
- Log in to SQL Monitor as an administrator.
- In the Configuration tab, click Authentication settings:
- Select Basic authentication.
The Confirm authentication changes window opens:
- Click Confirm.
SQL Monitor logs you and all other users out. - Log in to SQL Monitor with your SQL Monitor credentials.
If you've forgotten your password, see: Resetting your SQL Monitor password.