How It Works
MsSQL access in Infisical PAM uses an Infisical Gateway to securely proxy connections to your MsSQL server. When a user requests access, Infisical establishes a secure tunnel through the Gateway, enabling secure access without exposing your MsSQL instance directly.Key Concepts
- Gateway: An Infisical Gateway deployed in your network that can reach the MsSQL server. The Gateway handles secure communication between users and your MsSQL instance.
- Authentication: Credentials are stored securely in Infisical and used by the Gateway to authenticate with MsSQL on behalf of the user. SQL Server Authentication and Windows Authentication (NTLM or Kerberos) are supported.
- Local Proxy: The Infisical CLI starts a local proxy on your machine that intercepts MsSQL connections and routes them securely through the Gateway to your MsSQL instance.
- Session Tracking: All access sessions are logged, including when the session was created, who accessed the MsSQL instance, session duration, and when it ended.
Session Tracking
Infisical tracks:- When the session was created
- Who accessed which MsSQL instance
- Session duration
- When the session ended
Session Logs: After ending a session (by stopping the proxy), you can view
detailed session logs in the Sessions page.
Prerequisites
Before configuring MsSQL access in Infisical PAM, you need:- Infisical Gateway - A Gateway deployed in your network with access to the MsSQL server
- MsSQL Credentials - SQL Server credentials (username/password), Windows domain credentials for NTLM (domain/username/password), or Kerberos credentials (realm/SPN/username/password) for the MsSQL instance
- Infisical CLI - The Infisical CLI installed on user machines
Create the PAM Resource
The PAM Resource represents the connection between Infisical and your MsSQL instance.Ensure Gateway is Running
Before creating the resource, ensure you have an Infisical Gateway running and registered with your Infisical instance. The Gateway must have network access to your MsSQL server.
Create the Resource in Infisical
- Navigate to your PAM project and go to the Resources tab
- Click Add Resource and select Microsoft SQL Server
- Enter a Name for the resource (e.g.,
production-mssql,staging-db) - Select the Gateway that has access to this MsSQL instance
- Enter the Host - the hostname or IP address of your MsSQL server (e.g.,
mssql.example.comor192.168.1.100) - Enter the Database Name - the database to connect to
- Enter the Port - the MsSQL port (default:
1433) - Configure SSL/TLS options:
- Enable SSL: Toggle to enable TLS/SSL connections (enabled by default)
- Reject Unauthorized: Toggle to verify SSL certificates (enabled by default, recommended for production)
- Trusted CA SSL Certificate: Optional CA certificate for custom certificate authorities
SSL Configuration: SSL is enabled by default. For self-signed certificates, you may need to provide the CA certificate or disable certificate validation (not recommended for production).
Create PAM Accounts
Once you have configured the PAM resource, you’ll need to configure a PAM account for your MsSQL resource. A PAM Account represents a specific set of credentials that users can request access to. You can create multiple accounts per resource, each with different permission levels.Navigate to Resource
Go to the Resources tab in your PAM project and open the MsSQL resource you created.
Fill in Account Details
Fill in the account details:
A friendly name for this account (e.g.,
readonly-user, admin-access)An optional description for this account.
Choose how the account authenticates with SQL Server:
- SQL Server Authentication — standard username and password
- Windows Authentication (NTLM) — authenticates using Active Directory domain credentials
- Windows Authentication (Kerberos) — authenticates via Kerberos tickets from a Key Distribution Center (KDC)
The Active Directory domain name (e.g.,
CORP). Only required when using Windows Authentication (NTLM).The Kerberos realm, typically the AD domain name in uppercase (e.g.,
CORP.EXAMPLE.COM). Required for Kerberos authentication.The SQL Server’s SPN registered in Active Directory (e.g.,
MSSQLSvc/sqlserver.corp.com:1433). Required for Kerberos authentication.Hostname or IP of the Key Distribution Center (e.g.,
dc.corp.example.com). Optional — if omitted, the gateway attempts DNS-based KDC discovery.Kerberos credentials (realm, SPN, KDC address) are verified when the first session is started, not at account creation. Ensure your KDC is reachable from the gateway on port 88.
The MsSQL or domain username.
The MsSQL or domain password.
When enabled, users must complete a multi-factor authentication (MFA) challenge before accessing this account. The MFA method used is determined by the organization’s enforced method, the user’s configured method, or email as a fallback.
Access MsSQL Account
Once your resource and accounts are configured, users can request access through the Infisical CLI:Get the Access Command
- Navigate to the Resources tab in your PAM project and open the MsSQL resource
- In the resource’s accounts section, find the account you want to access
- Click the Access button for that account
- Copy the provided CLI command
Run the Access Command
Run the copied command in your terminal.The CLI will:
- Authenticate with Infisical
- Establish a secure connection through the Gateway
- Start a local proxy on your machine
- Display a local connection URL you can use to connect
Connect to MsSQL
Once the proxy is running, connect to MsSQL using the connection details displayed by the CLI. You can use any MsSQL client — no password is needed, as the Gateway injects the real credentials on your behalf.Using sqlcmd:Using other clients:You can also use GUI clients such as SQL Server Management Studio (SSMS), Azure Data Studio, DBeaver, DataGrip, or TablePlus. Point them to
127.0.0.1 on the port shown in the CLI output with the username and database from the connection details. Leave the password field empty.