/
How-to monitor Microsoft SQL with a domain account

How-to monitor Microsoft SQL with a domain account

This guide explains how to monitor Microsoft SQL Server with Checkmk using a domain account instead of the default user.

LAST TESTED ON CHECKMK 2.4.0P22

Table of Contents

Overview

This guide explains how to configure the Checkmk mk-sql plugin to monitor Microsoft SQL Server using an Active Directory domain account instead of the default SYSTEM or local database user.

 

Problem

By default, the mk-sql plugin runs under the local SYSTEM account or a local SQL user. In some environments, especially those with stricter security or centralized authentication requirements, this is not sufficient and a domain account must be used instead.

However, using a domain account is not automatic and requires additional configuration both on the Windows host and within Checkmk.

 

Solution

Prepare the domain account

First, ensure the domain account is properly set up according to our User Guide:

  • Grant the account access to the MSSQL database as outlined in the official documentation

  • Ensure the account has permission to log in interactively to the monitored Windows host

Group Managed Service Accounts (gMSA) are not supported for running Checkmk plugins.

 

Configure the account in Checkmk

In Checkmk, configure the agent to run the plugin using the domain account:

  1. Go to Setup → Agents → Windows, Linux, Solaris, AIX → Agent rules → Run plugins and local checks using non-system account

  2. Create a new rule

  3. Enter the domain account username and password under Enable 'Run As User' for scripts

  4. Scope the rule to the appropriate host(s)

  5. Save the rule

    image-20260415-063433.png

 

Configure the MSSQL plugin

Next, configure the MSSQL plugin as usual:

  1. Go to Setup → Agents → Windows, Linux, Solaris, AIX → Agent rules → Microsoft SQL Server (Linux, Windows)

  2. Leave authentication set to Local integrated authentication (Windows)

  3. Save and activate changes

 

Bake and deploy the agent

  1. Next you will want to Bake and sign the agent package

  2. Deploy the updated agent to the target host

 

Set required file permissions

Please note that these permissions may not be preserved upon updating the Checkmk agent.

After installation, ensure the domain account has the correct permissions on the host:

  • Read and write access to:
    C:\ProgramData\checkmk\logs\mk-sql_rCURRENT

  • Read access to:
    C:\ProgramData\checkmk\config\mk-sql.yml

 

Once these steps are completed, the mk-sql plugin will run under the configured domain account and successfully monitor the MSSQL instance using domain-based authentication.

 

Related articles