How to Configure Windows Authentication for Domain Account in Local SQL Server Development Environment


2 views

When transitioning from SQL Server authentication to Windows authentication, many developers encounter permission issues - especially after fresh OS installations. The key symptom: your domain credentials suddenly stop working despite being a local admin.

First, confirm your SQL Server instance actually runs in mixed authentication mode:


-- Run this using existing SQL auth credentials
SELECT SERVERPROPERTY('IsIntegratedSecurityOnly') AS AuthMode;
-- Returns 0 for mixed mode, 1 for Windows-only

If you can still access via SQL auth, create a Windows login directly:


USE [master]
GO
CREATE LOGIN [DOMAIN\username] FROM WINDOWS WITH DEFAULT_DATABASE=[master]
GO
EXEC sp_addsrvrolemember 'DOMAIN\username', 'sysadmin'
GO

Local admin rights don't automatically grant SQL Server permissions. The Windows group memberships only sync when the SQL Server service starts. After adding yourself to groups, restart:


NET STOP MSSQLSERVER
NET START MSSQLSERVER

If completely locked out, use the single-user mode technique:

  1. Stop SQL Server service
  2. Run: sqlservr.exe -m -s MSSQLSERVER
  3. Connect with DAC (Dedicated Admin Connection)
  4. Execute the CREATE LOGIN statement above

After configuration, check effective permissions with:


SELECT * FROM sys.server_permissions WHERE grantee_principal_id = 
(SELECT principal_id FROM sys.server_principals WHERE name = 'DOMAIN\username')

Ensure the SQL Server service account has proper Active Directory permissions if your domain uses constrained delegation. The service account needs:

  • "Trusted for delegation" right in AD
  • SPN (Service Principal Name) registered

When your IT department reinstalled your 64-bit Windows system and set up SQL Server Developer Edition, they likely configured it with SQL Server authentication initially. The problem emerges when attempting to switch to Windows Authentication - a common scenario many developers face after system migrations.

From your description, I notice three potential issues:

  1. Incomplete server role assignment after authentication mode change
  2. Group membership not properly propagating to SQL Server
  3. Possible service account permission conflicts

Here's how to properly configure Windows Authentication:

-- First, log in using SQL authentication or as another admin
-- Then execute these commands to add your domain account:

USE [master]
GO
CREATE LOGIN [DOMAIN\username] FROM WINDOWS WITH DEFAULT_DATABASE=[master]
GO
EXEC sp_addsrvrolemember @loginame = N'DOMAIN\username', @rolename = N'sysadmin'
GO

If you prefer graphical interface:

  1. Connect using existing SQL authentication
  2. Right-click server node → Properties → Security
  3. Set "Server authentication" to "Windows Authentication mode"
  4. Under Security → Logins, add your Windows account
  5. Grant server roles (sysadmin recommended for full control)

Sometimes the SQL Server service needs adjustment:

-- Check current service account
SELECT servicename, service_account 
FROM sys.dm_server_services
WHERE servicename LIKE 'SQL Server%'

Ensure the service account has proper permissions to authenticate domain accounts.

If still facing issues:

-- Check effective permissions
EXEC xp_logininfo 'DOMAIN\username', 'all'

Also verify:

  • Domain connectivity is active
  • Your account isn't locked in AD
  • SQL Server is running under a domain account if needed

Before restarting services:

  1. Confirm login exists in sys.server_principals
  2. Verify server role assignment
  3. Check ERRORLOG for authentication failures