| title | description | author | ms.author | ms.date | ms.service | ms.subservice | ms.topic | helpviewer_keywords | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Change server authentication mode |
Learn how to change the server authentication mode in SQL Server. You can use either SQL Server Management Studio or Transact-SQL for this task. |
rwestMSFT |
randolphwest |
07/22/2024 |
sql |
configuration |
how-to |
|
[!INCLUDE SQL Server]
This article describes how to change the server authentication mode in [!INCLUDE ssnoversion] by using [!INCLUDE ssManStudioFull] or [!INCLUDE tsql]. During installation, [!INCLUDE ssDEnoversion] is set to either Windows Authentication mode or SQL Server and Windows Authentication mode. After installation, you can change the authentication mode at any time.
If Windows Authentication mode is selected during installation, the sa login is disabled and a password is assigned by setup. If you later change authentication mode to SQL Server and Windows Authentication mode, the sa login remains disabled. To use the sa login, use the ALTER LOGIN statement to enable the sa login and assign a new password. The sa login can only connect to the server by using [!INCLUDE ssNoVersion] Authentication.
The sa account is a well known [!INCLUDE ssNoVersion] account, and is often targeted by malicious users. Don't enable the sa account unless your application requires it. It's important that you use a strong password for the sa login.
You can enable the sa login with SSMS or Transact-SQL.
-
In Object Explorer, expand Security, expand Logins, right-click sa, and then select Properties.
-
On the General page, you might have to create and confirm a password for the
salogin. -
On the Status page, in the Login section, select Enabled, and then select OK.
The following example enables the sa login and sets a new password. Replace <enterStrongPasswordHere> with a strong password before you run it.
ALTER LOGIN sa ENABLE;
GO
ALTER LOGIN sa WITH PASSWORD = '<enterStrongPasswordHere>';
GO-
In [!INCLUDE ssManStudioFull] (SSMS) Object Explorer, right-click the server, and then select Properties.
-
On the Security page, under Server authentication, select the new server authentication mode, and then select OK.
-
In the [!INCLUDE ssManStudioFull] dialog box, select OK to acknowledge the requirement to restart [!INCLUDE ssNoVersion].
-
In Object Explorer, right-click your server, and then select Restart. If [!INCLUDE ssNoVersion] Agent is running, it must also be restarted.
Caution
The following examples use an extended stored procedure to modify the server registry. Serious problems might occur if you modify the registry incorrectly. These problems might require you to reinstall the operating system. Microsoft can't guarantee that these problems can be resolved. Modify the registry at your own risk.
The permissions required to change the authentication mode are sysadmin or CONTROL SERVER.
-
Change server authentication to Windows only:
USE [master] GO EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode', REG_DWORD, 1; GO
-
Disable the
saaccount:USE [master] GO ALTER LOGIN sa DISABLE; GO
-
Enable the
saaccount and set a strong password:USE [master] GO ALTER LOGIN sa ENABLE; GO ALTER LOGIN sa WITH PASSWORD = '<enterStrongPasswordHere>'; GO
-
Change server authentication to mixed mode:
EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode', REG_DWORD, 2; GO