MS SQL Server supports two authentication modes:
The authentication mode must be set when a SQL Server instance is installed, and can be changed later in SQL Server Management Studio through the Security option in the Server Properties section for the instance:
Prior to the release of Apprenda Platform 5.5.4, all Platform SQL Server instances were required to use Mixed mode authentication. A SQL login account specified for each SQL Server instance was used for all Platform and guest application creation, and guest application components (such as services and UIs) communicated with their respective databases via connection strings based on SQL logins.
In order to accommodate company security policies that prefer the Windows Authentication mode to Mixed mode, Apprenda Platform version 5.5.4 introduced limited Windows Authentication support for certain types of applications:
Table 1: Applications supported for Windows Authentication
|Single- or Multi-tenant?||.NET or Java?||MS SQL or Oracle?||Windows Authentication
As of this version of Apprenda, Platform Operators may configure the Platform to use Windows Authentication (via the Security Support Provider Interface, or SSPI) for all single-tenant .NET guest applications that include a SQL Server database tier. When this option is configured by a Platform Operator, service and UI components for these types of applications will communicate with their respective databases via connection strings based on Windows Authentication only.
Depending on the Platform configuration and options selected by the Platform Operator as indicated in the table below, databases for supported applications will be created using Windows Authentication or using the SQL Server admin account specified for the instance:
Table 2: Platform MS SQL Server database configuration options
|Database Security Mode
Custom Property Setting
|Creds used to create
|Creds components use to
access Single-tenant DBs
|Can host CoreDB/
Multi-tenant app DBs
|SQL only*||Mixed Mode||SQL||SQL||Yes|
|SQL and SSPI||Mixed Mode||SQL||Windows||Yes|
* This is the effective setting for all prior versions of the Apprenda Platform.
PLEASE NOTE: databases essential for Platform functionality (such as the Apprenda Core DB) require a SQL instance set to Mixed Mode Authentication. Because of this, all Apprenda Platform instances must contain a SQL instance configured for SQL only OR an instance configured for SQL and SSPI.
It is recommended that Platforms that use SSPI contain at least one SQL instance configured for SQL only (to host the Core DB and other required Apprenda DBs). Instances that will support SSPI can then be configured for SSPI only, which will allow those instances to take full advantage of Apprenda’s support for Windows authentication (i.e., DBs will be both created with and accessed by Windows Authentication).
The Storage Controlling Services is an Apprenda WCF service that interfaces with SQL Server and Oracle to create, delete, and otherwise configure storage for your application’s databases. When SSPI is used, the Windows account under which this service runs will need the same permissions as the SQL Server Admin Account (outlined in the Platform User Accounts and Privileges) on SQL Server instances configured to use SSPI. After Apprenda Platform installation, the Storage Controlling Services are set to use the account specified in the installer as the Apprenda Administrator account. As needed, a different account can be specified for the Storage Controlling Services through the Applications section of the SOC; once the account has been changed in the SOC, all instance sof the Storage Controlling Services must be restarted in order for the change to take effect.
By default, all SQL instances will use SQL credentials only. The Platform Operator must mark each SQL instance that they have selected to use SSPI as follows:
As a reminder, any SQL instances on which Apprenda Platform Databases (e.g. Core) reside must be set to support SQL authentication (or SQL and SSPI) and cannot be configure to support SSPI only.
Because they will have to communicate with their databases via Windows authentication, all services and UIs for supported applications must be configured to run under valid Windows domain accounts. By default, the account specified at install time as the Apprenda System account will be used as the default account for services (As of version 7.1, the System Account is no longer used). No default account is specified for UIs. This can be addressed by the Platform Operator in one of the following ways:
The workflows for both of these options are described in this Platform Operator topic on Specifying User Accounts for Guest Application Components.
If no valid account is specified (either through a Platform default set by the Platform Operator or per credential by the developer) for a component, workload deployments will fail for that component. This will result in a promotion failure in the case of UIs, and scaling/functionality failures in the case of services.
PLEASE NOTE: in order for workload deployment to work for components where the database uses Windows Authentication, accounts for components must specify the domain name in NetBIOS (as opposed to FQDN) format.
The final Configuration step is to set the DB.EnforceWindowsAuthentication setting to a value of True in the Platform Registry Settings section of the SOC. This setting acts as a switch that will then enforce Windows Authentication for all newly deployed single-tenant .NET applications that use SQL Server.
Once the Configuration steps above have been completed, Windows Authentication will be enforced for all newly deployed single-tenant .NET applications that use SQL Server. It should be noted that this enforcement is automatic and Platform-wide; developers will not have the option to use SQL authentication.
Information on how Apprenda deploys guest application databases can by found in the How Apprenda Deploys your Application: Data Tier section of our documentation; a section on databases that use Windows Authentication has been included.
As needed, developers can obtain DB connection string information for all of their applications (including those that use Windows Authentication) through the Cloud Control section of the Developer Portal.