A Windows service running as "Network Service" talks to services on other machines (here: SQL Server and Analysis Services), using Windows authentication. For authentication, we have to grant permissions to the machine account of the service. E.g. if service runs on server MYSERVER in domain MYDOMAIN, it'll authenticate itself as "MYDOMAIN\MYSERVER$". - Am I correct, so far?
Now here's my question: does this still apply when talking to a service on the SAME machine? Or will it authenticate with something like "NT AUTHORITY\Network Service" instead when connecting to a local service?
And: is there any chance this is a breaking change from Windows 2003 to Windows 2008? We're having an actual issue in our system where the account was able to connect to local services with only the machine account having permissions in W2K3. In W2K8, this doesn't seem to work anymore: authentication to local services now fails, but still works to remote machines.
Locally NETWORK SERVICE will authenticate as
NT AUTHORITY\Network Service
If you want your SQL to touch local resources (files, apps, registry, whatever) do not grant permissions to the service account. Instead grant them to the SQL Server service account local group, which was automatically created during install, see SQL Server Service Accounts:
SQLServerMSSQLUser$<hostname>$<instancename>
, where<hostname>
is the machine name of the host running SQL Server and<instancename>
is the SQL Server instance name (MSSQLSERVER for default instance name).This way you don't have to change any ACL when you change the service account, since changing the SQL Service account adds the new account to this group.