ArcMap

A comparison of OS and database authentication in SQL Server

This ArcGIS 10.6 documentation has been archived and is no longer updated. Content and links may be outdated. See the latest documentation.

Operating system (OS) authentication is a method for identifying a connection with credentials supplied by the operating system of the connecting computer.

OS-authenticated logins are the default and, therefore, recommended type of logins for SQL Server databases. By default, this is the only type of login allowed when your SQL Server instance is create.

Database logins are accounts created in the database management system. These accounts are separate from the login account you use to connect to the operating system.

OS authentication offers some advantages over database authentication in SQL Server. These advantages are as follows:

  • OS authentication is generally more secure in SQL Server databases than database authentication, since it uses a certificate-based security mechanism. OS-authenticated logins pass an access token instead of a name and password to SQL Server. The access token is assigned by Windows (Active Directory Domain or local operating system) when the user logs in. It contains a unique security ID (SID) for that user and the SIDs of any local or domain Windows groups to which the user belongs. This token's SIDs are compared to all the SIDs in the sys.server_principals system view. Based on the results of this comparison, the login is either granted or denied access to SQL Server.
  • When using domain accounts, management of passwords and accounts is centralized; the domain administrator manages all logins that are used throughout the organization, and the database administrator does not need to manage separate accounts.
  • When you connect to the database, you are not required to enter a user name and password. A single sign-on at login provides access to all services that support OS authentication.

One restriction to consider if you use OS authentication with enterprise geodatabases is you cannot connect to the geodatabase as a user different from your present login. For example, if you logged in to the computer as TERRA\Ian, you cannot make an OS-authenticated connection as TERRA\Sylvia. If you use database authentication, you can log in to the computer with one login but provide a different user name and password to connect to the geodatabase.