Authentication Mode

SQL Server Express users: click Authentication Mode (SQL Server Express) for information that is specific to SQL Server Express Setup.

Use the Authentication Mode page of the Microsoft SQL Server Installation Wizard to choose the security mode used to authenticate client and server connections to this installation. If you select Mixed Mode, you must enter and confirm the SQL Server system administrator (sa) password. After a device establishes a successful connection to SQL Server, the security mechanism is the same for both Windows Authentication and Mixed Mode.

Options

  • Windows Authentication Mode
    When a user connects through a Microsoft Windows user account, SQL Server validates the account name and password using information in the Windows operating system. This is the default authentication mode, and is much more secure than Mixed Mode. Windows Authentication utilizes Kerberos security protocol, provides password policy enforcement in terms of complexity validation for strong passwords, provides support for account lockout, and supports password expiration.

    ms144284.security(en-US,SQL.90).gifSecurity Note:
    When possible, use Windows Authentication.

    If you select Windows Authentication, Setup creates an sa account that is disabled by default. To utilize Mixed Mode Authentication and activate the sa account after Setup completes, see the topic for "How to: Change Server Authentication Mode" in SQL Server 2005 Books Online.

    Important

    Setting strong passwords is essential to the security of your system. Never set a blank or weak sa password.

  • Mixed Mode (Windows Authentication or SQL Server Authentication)
    Allows users to connect using Windows Authentication or SQL Server Authentication. Users who connect through a Windows user account can make use of trusted connections that are validated by Windows.

    If you must choose Mixed Mode Authentication and you have a requirement for using SQL logins to accommodate legacy applications, then you must set strong passwords for all SQL accounts. This is of particular importance for accounts that are members of the sysadmin role, especially the sa account.

    Note

    SQL Server Authentication is provided for backward compatibility only. When possible, use Windows Authentication.

  • Enter Password
    Enter and confirm the system administrator (sa) login when you choose Mixed Mode Authentication. Passwords are the first line of defense against intruders, so setting strong passwords is essential to the security of your system. Never set a blank or weak sa password.

    Note

    SQL Server passwords can contain from 1 to 128 characters, including any combination of letters, symbols, and numbers. If you choose Mixed Mode authentication, you must enter a strong sa password before you can continue to the next page of the Installation Wizard.

  • Strong Password Guidelines
    Strong passwords are not readily guessed by a person, and are not easily hacked using a computer program. Strong passwords cannot use prohibited conditions or terms, including:

    • A blank or NULL condition
    • "Password"
    • "Admin"
    • "Administrator"
    • "sa"
    • "sysadmin"

    A strong password cannot be the following terms associated with the installation computer:

    • The name of the user currently logged onto the machine.
    • The machine name.

    A strong password must be more than 8 characters in length and satisfy at least three of the following four criteria:

    • It must contain uppercase letters.
    • It must contain lowercase letters.
    • It must contain numbers.
    • It must contain non-alphanumeric characters; for example, #, %, or ^.

    Passwords entered on the Authentication Mode page must meet strong password policy requirements. If you have any automation that uses SQL Authentication, make sure that the password meets strong password policy requirements.

ms144284.security(en-US,SQL.90).gifSecurity Note:
For this release, Setup may not enforce the strong password requirement on some default configurations of Windows Server 2003 where the machine is not a member of a domain. Setting strong passwords is essential to the security of your system. Never set a blank or weak sa password.

See Also

Concepts

Security Considerations for a SQL Server Installation

Help and Information

Getting SQL Server 2005 Assistance

Change History

Release History

5 December 2005

Changed content:
  • Updated strong password guidelines: Strong passwords require more than 8 characters.