Press "Enter" to skip to content

Author: Kevin Feasel

Multiple Domain Controllers and Kerberos Double-Hops

Randy Knight sorts out a problem:

We recently had a customer where Windows logins to a SQL Server Availability Group started throwing “Cannot generate SSPI context” — but only sometimes, and only for some people. The same user, on the same workstation, would fail one minute and connect the next. Applications were fine. Nothing had changed on SQL Server.

It took the better part of two days and a lot of second-guessing to run down, and the culprit turned out to be something most of us never think about: which domain controller handed out the Kerberos ticket.

Click through for the answer. Surprisingly, it has nothing to do with SPNs for once.

Comments closed

Power BI’s Row-Level Security Bitmap Changes

Phil Seamark lays out the consequences of a change:

If you have ever watched a model with row-level security run beautifully for months and then quietly fall off a cliff, this one is for you. Nothing in the model changed. You did not touch the security rules. One table just grew past a line you could not see, and every query under that role started doing a great deal more work than it used to.

That line just moved, and it moved in your favour. Here is what it is and why it sits where it does.

Click through to learn more about how Power BI handles row-level security predicate matching.

Comments closed

Deprecated SQL Server Features since 2016

Jeff Iannucci has a list:

If you’re planning on upgrading from SQL Server 2016 to the current version of SQL Server 2025, it would be helpful to note some of the features from versions since 2016 that are no longer supported. By that I’m talking about those things classified as “deprecated” (no longer supported) or “discontinued” (removed from the product). Let’s take a look at these features and say our goodbyes, organized by versions.

There’s not a lot on here that would affect most companies. Though to one of Jeff’s points in the article, I actually have seen a company use lightweight pooling, mostly because they didn’t know what it did and saw the bit about how it could improve performance. I came in and flipped that switch off for them. That was the kind of feature that likely benefited one or two large customers 30 years ago or so and it just hung around in the product due to inertia.

Comments closed

Building a Type-6 Slowly Changing Dimension

Dinesh Asanka creates a dimenson:

In a data warehouse, one important concept is to retain historical data. This data is typically not available in operational systems. One approach in data warehouses is the use of Slowly Changing Dimensions (SCDs). What are the SCD options and are there any new approaches?

Click through for a quick depiction of Types 0 through 3, and then where 6 fits into the mix. I’m not 100% sure I’ve ever actually used a Type-6 slowly changing dimension in a production environment, though there are specific circumstances in which one could be quite useful.

Comments closed

Query Execution vs Query Processing

Louis Davidson disambiguates a pair of terms:

There have been a lot of posts on LinkedIn of late about the “logical execution order” of a query that all really miss some really big points. I was corrected myself in some terminology because I mistook the term “processing” to mean the same as “order” in these discussions when I was explaining why logical execution order is not what people expected.

Click through for a good explanation, as well as a plan to have your company pay for your Disney World trip.

I also appreciate how Louis still calls it SQL Sentry Plan Explorer because that’s what it always will be in my heart.

Comments closed

On-Prem Is Still On-Prem

Andy Brownsword reminds us that it’s still the same animal:

Cloud solutions have sliders which magically reduce downtime, performance issues, and account credit. When you build it, infrastructure and platforms are your challenge, and you get one shot to right-size it. Capacity, resilience, capabilities. They’re your challenges to solve. There is no cake slider.

It’s the capabilities I want to consider here. The capabilities we have available to us day-to-day. Potentially two opposing sides:

To summarize things, everything is awful, just as it always has been. Granted, that may not be how Andy would summarize things, but that’s why I get those big Curated SQL bucks.

Comments closed

Re-Migration and Data Engineering

Andy Leonard shares some thoughts:

Right-sizing didn’t always work out the way some clients were led to believe it would.

In nearly every instance, the right-sizing argument was presented (sold) as the solution to over-provisioning, or purchasing hardware to serve peak loads. The classic example was a US income tax service that needed more and faster compute available to meet increasing demand starting in late January and peaking in mid-April each calendar year. After mid-April, hardware that was beefy enough to handle that peak load sat mostly idle for the next 9 months.

I don’t think I’ve ever worked for a company where this scenario really made sense. Even in the e-commerce company where a sizable fraction of our total annual revenues happened over a 5-day period, the load was still significant enough the rest of the year that we made good use of our on-premises SQL Server hardware.

Comments closed

Identity Columns in Fabric Runtime 2.0

Jon Lunn is happy:

Fabric Runtime 2.0 is in public preview, and there is one small change for this that makes my life as a data engineer a little bit easier. Identity columns. I miss the good old T-SQL Identity column “Id INT IDENTITY(1,1)”, now we have something like it in Spark/Delta.

So with the the old spark/delta table runtime, you couldn’t have an default, automatically increasing column. But now we have these updates.

Click through to see how it works.

Comments closed

The Muddy World of Hybrid Environments

Deborah Melkin muddies up the waters a bit:

My first reaction to this sentence was: Oh look, he assumes that everyone is in the cloud…

My next reaction was: Oh look, he acknowledged that maybe everyone isn’t in the clouds in his follow-up examples.

Since the cloud was introduced, the assumption was always going to be everyone will moving to the cloud. “You’ll be behind if you don’t learn the cloud,” they said. Then as people either moved or started looking into moving their databases, they realized they just couldn’t – whether it was due to missing features, higher than expected costs, etc. There was always some reason.

Click through for some of the challenges and realities of organizations where certain cloud-first or cloud-only services would be a major challenge, versus other services that are typically easier to deal with.

Comments closed

The Vendor-Security Researcher Relationship

Andreas Wolter shares some thoughts:

The recent public discussion around YellowKey and Microsoft’s vulnerability disclosure process has put vulnerability research, coordinated disclosure, and Microsoft’s Security Response Center (MSRC) into the spotlight.   While that specific discussion is about Windows and BitLocker, it exposes a broader problem that many researchers recognize: vulnerability disclosure is often framed as a simple responsibility of the researcher.

The idealized workflow is straightforward: find the issue, report it, wait for the vendor, and accept the outcome.

But coordinated disclosure cannot be a one-way obligation.

Andreas shares some perspective from having been a top security person on the SQL Server team. Along the way, he hits one on of my bugbears: the fact that there is no easy way to tell exactly what login X (or user X) can do on a SQL Server instance. The closest I ever got was to impersonate user X and run sys.fn_my_permissions() in the context of that user. But even that isn’t perfect.

Comments closed