SQL Server Connections
Keeper Connections - SQL Server Protocol
Overview
KeeperPAM enables zero-trust privileged session management for SQL Server databases through an interactive CLI or the visual KeeperDB interface. This guide shows how to configure SQL Server connections on PAM Database records in the Keeper Vault. Sessions start from the Vault, route through the Keeper Gateway, and connect to the target database.
Prerequisites
Before you begin, review the connection prerequisites on Getting Started.
You need these records to configure a SQL Server connection:
Stores the infrastructure details needed to reach the target.
Stores the SQL Server host and connection details.
Stores the SQL Server credentials used for the session.
This guide uses a SQL Server Database record as the target.
PAM Settings - SQL Server Protocol
Accessing connection settings
After you create the target PAM record, open the connection settings:
Edit the PAM record.
Click Set Up in PAM Settings.
Open the Connection section.
Configuring connection settings
Before you configure the SQL Server protocol, set these required fields:
PAM Configuration
The PAM Configuration provides access to the target defined on the record.
Administrative Credential Record
The linked PAM User used for authentication and administrative actions.
The following table lists the SQL Server-specific connection settings:
Protocol
Required. Select SQL Server. Keeper populates the available settings for this protocol.
Enable Connection
Required. Enable this toggle to allow launches from the record.
Graphical Session Recording
Enables graphical session recording for this connection.
Text Session Recording (Typescript)
Enables raw text session recording with timing data.
Include Key Events
Includes keystrokes in playback. This can capture typed secrets.
Connection Port
Uses the port on the PAM Database by default. Override it here if needed. The default SQL Server port is 1433.
Launch Credentials
Uses the selected credentials to authenticate the session. See Connection Authentication Methods.
Allow users to select credentials from their vault
Lets users choose their own private vault credentials. See Connection Authentication Methods.
Rotate launch credentials upon session termination
Rotates the selected launch credential when the session ends.
Default Database
Selects the default database when the session starts.
Can download
Allows CSV export when supported by the client session.
Can upload
Allows CSV import when supported by the client session.
Can copy to clipboard
Lets users copy text from the session.
Can paste from clipboard
Lets users paste local clipboard content into the session.
Font name
Sets the terminal font. Use a monospaced font installed on the server running guacd.
Font size
Sets the terminal font size in points. The default is 12.
Maximum scrollback size
Sets the maximum terminal scrollback buffer. The default is 1000 rows.
Read-only
Prevents all input. Users can view the session but cannot interact.
Connection Authentication Methods
SQL Server connections support these authentication methods:
Launch Credential Keeper uses the credential linked on the PAM record. Users do not need direct access to that credential.
Personal/Private Credential When Allow users to select credentials from their vault is enabled, users can authenticate with their own private vault credential.
Ephemeral Accounts Keeper creates a temporary privileged account for the session and deletes it after the session ends. This supports Just-In-Time access.
Session Recordings - SQL Server Protocol
For this protocol, Keeper records both the graphical session and the full raw text stream, including timing data. Learn how to access and review recordings on Session Recording & Playback.
Learn more about Session Recording & Playback
Connection Templates
You can also configure the PAM record as a connection template. Connection templates let users launch sessions without predefining a specific hostname or credential.
Learn more about Connection Templates
Last updated