Microsoft SQL Server (MSSQL) Stay organized with collections Save and categorize content based on your preferences.
Looker hasintegration-level support for MSSQL. This page contains information about connecting Looker to MSSQL.
Encrypting network traffic
It is a best practice to encrypt network traffic between the Looker application and your database. Consider one of the options that are described on theEnabling secure database access documentation page.
If you're interested in using SSL encryption, see theMicrosoft documentation.
Configuring server authentication
Looker requires "SQL Server Authentication" on your MSSQL server. If your MSSQL server is configured as "Windows Integrated Authentication" only, change the server configuration to "Windows Integrated Authentication and SQL Server Authentication."
If the server configuration is not set properly, Looker will be unable to connect. This will appear in your SQL Server log messages like: "An attempt to log in using SQL authentication failed. Server is configured for windows authentication only."
If this change is required, you can complete the following steps:
- InSQL Server Management Studio Object Explorer, right-click the server, and then clickProperties.
- On theSecurity page, underServer authentication, select the new server authentication mode, and then clickOK.
- In theSQL Server Management Studio dialog, clickOK to acknowledge the requirement to restart SQL Server.
- InObject Explorer, right-click your server, and then clickRestart. If SQL Server Agent is running, it must also be restarted.
You can read about this more inMicrosoft's documentation.
Creating a Looker user
Looker authenticates to your database using SQL Server Authentication. Using a domain account is not supported.
To create an account, run the following commands. Changesome_password_here to a unique, secure password:
CREATE LOGIN looker WITH PASSWORD = 'some_password_here';USE MyDatabase;CREATE USER looker FOR LOGIN looker;GOGranting the Looker user permission to SELECT from tables
Looker requires theSELECT permission for each table or schema that you will want to query. There are multiple ways to assignSELECT permission:
To grant
SELECTpermission to individual schemas, run the following command for each schema:GRANT SELECT on SCHEMA :: 'schema_name' to looker;To grant
SELECTpermission to individual tables, run the following command for each table:GRANT SELECT on OBJECT :: 'schema_name'.'table_name' to looker;For MSSQL version 2012 or later, you can alternatively assign the Looker user the
db_datareaderrole using these commands:USE MyDatabase;ALTER ROLE db_datareader ADD MEMBER looker;GO
Granting the Looker user permission to view and stop running queries
Looker must be authorized to detect and stop running queries, which requires the following permissions:
ALTER ANY CONNECTIONVIEW SERVER STATE
To grant these permissions, run the following commands:
USE Master;GRANT ALTER ANY CONNECTION TO looker;GRANT VIEW SERVER STATE to looker;GOGranting the Looker user permission to create tables
To give the Looker user the permission to createPDTs, run the following commands:
USE MyDatabase;GRANT CREATE TABLE to looker;GOTemp schema setup
To create a schema that is owned by the Looker user and grant the necessary rights to the Looker user, run this command:
CREATE SCHEMA looker_scratch AUTHORIZATION looker;Configuring Kerberos authentication
Warning: Kerberos authentication with an MSSQL database is supported only for customer-hosted instances. Looker-hosted instances cannot support Kerberos authentication with an MSSQL database.If you use Kerberos authentication with your MSSQL database, follow the steps to configure Looker to connect by using Kerberos, as described in the following section.
Setting up the Kerberos client configuration
First, you need to ensure the installation of several pieces of software and the presence of several files on the Looker machine.
Kerberos client
Verify that the Kerberos client is installed on the Looker machine by runningkinit. If the Kerberos client is not installed, install the Kerberos client's binaries.
For example, on Redhat or CentOS, this would be the following:
sudo yum install krb5-workstation krb5-libs krb5-auth-dialogJava 8
Java 8 must be installed on the Looker machine and in thePATH andJAVA_HOME of the Looker user. If necessary, install it locally in thelooker directory.
Java Cryptography Extension
Download and install the Java Cryptography Extension (JCE) for Java 8 from thisOracle download page.
- Locate the
jre/lib/securitydirectory for the Java installation. - Remove the following JAR files from this directory:
local_policy.jarandUS_export_policy.jar. - Replace these two files with the JAR files included in the JCE Unlimited Strength Jurisdiction Policy Files download.
It may be possible to use versions of Java prior to Java 8 with the JCE installed, but this is not recommended.
- Locate the
Update
JAVA_HOMEandPATHin~looker/.bash_profileto point to the correct installation of Java andsource ~/.bash_profileor log out and in again.Verify the Java version with
java -version.Verify the
JAVA_HOMEenvironment variable withecho $JAVA_HOME.
gss-jaas.conf
Create agss-jaas.conf file in thelooker directory with these contents:
com.sun.security.jgss.initiate{com.sun.security.auth.module.Krb5LoginModulerequireduseTicketCache=truedoNotPrompt=true;};If necessary for testing,debug=true can be added to this file like this:
com.sun.security.jgss.initiate{com.sun.security.auth.module.Krb5LoginModulerequireduseTicketCache=truedoNotPrompt=truedebug=true;};krb5.conf
The server that is running Looker should also have a validkrb5.conf file. By default, this file is in/etc/krb5.conf. If it is in another location, that must be indicated in the environment (KRB5_CONFIG in the shell environment).
You may need to copy this from another Kerberos client machine.
lookerstart.cfg
Point to thegss-jaas.conf andkrb5.conf files by making a file in thelooker directory (the same directory that contains thelooker startup script) calledlookerstart.cfg that contains the following lines:
JAVAARGS="-Djava.security.auth.login.config=/path/to/gss-jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.krb5.conf=/etc/krb5.conf" LOOKERARGS=""If thekrb5.conf file is not at/etc/krb5.conf then it will also be necessary to add this variable:
-Djava.security.krb5.conf=/path/to/krb5.confFor debugging, add these variables:
-Dsun.security.jgss.debug=true -Dsun.security.krb5.debug=trueThen restart Looker with./looker restart.
Authenticating with Kerberos
User authentication
If
krb5.confis not in/etc/, then use the environment variableKRB5_CONFIGto indicate its location.Run the command
klistto make sure there is a valid ticket in the Kerberos ticket cache.If there is no ticket, run
kinit username@REALMorkinit usernameto create the ticket.The account that is used with Looker will likely be headless, so you can get a keytab file from Kerberos to store the credential for long-term use. Use a command like
kinit -k -t looker_user.keytab username@REALMto get the Kerberos ticket.
Automatically renewing the ticket
Set up a cron job that runs every so often to keep an active ticket in the Kerberos ticket cache. How often this should run depends on the configuration of the cluster.klist should give an indication of how soon tickets expire.
Creating the Looker connection to your database
Follow these steps to create the connection from Looker to your database:
- In theAdmin section of Looker, selectConnections, and then clickAdd Connection.
From theDialect drop-down menu, select your version of Microsoft SQL Server.
Note: If you are on aLooker (Google Cloud core) instance and you don't see your dialect listed in theDialect drop-down menu, see theLooker (Google Cloud core) documentation to verify that the dialect is supported for Looker (Google Cloud core) instances.ForRemote Host andPort, enter the hostname and port (the default port is 1433).
If you need to specify a non-default port other than 1433 and your database requires the use of a comma instead of a colon, you can add
useCommaHostPortSeparator=truein theAdditional JDBC parameters field further down in the connection settings, which will allow you to use a comma forRemote Host:Port. For example:jdbc:sqlserver://hostname,1434Fill out the rest of the connection details. The majority of the settings are common to most database dialects. See theConnecting Looker to your database documentation page for information.
To verify that the connection is successful, clickTest. See theTesting database connectivity documentation page for troubleshooting information.
To save these settings, clickConnect.
Configuring the Looker connection
Follow the instructions on theConnecting Looker to your database documentation page to create a connection to your MSSQL database. In theAdditional JDBC parameters section of theConnection Settings page, add the following:
;integratedSecurity=true;authenticationScheme=JavaKerberosSome networks are configured for two Kerberos realms, one for Windows Active Directory and the other for Linux and other non-Windows systems. In that case, when the Linux-focused Realm and the Active Directory Realm are configured to trust each other, it is called "cross-realm authentication".
If your network uses cross-realm authentication, you must explicitly specify the Kerberos principal for MSSQL Server. In theAdditional JDBC parameters field, add the following:
;serverSpn=service_name/FQDN\:PORT@REALMReplacingFQDN andPORT@REALM with your network information. For example:
;serverSpn=MSSQLSvc/dbserver.internal.example.com:1433@AD.EXAMPLE.COMIn addition, theConnection Settings page in Looker requires entries in theUsername andPassword fields, but these are not required for Kerberos. Enter dummy values in these fields.
Test the connection to make sure that it is configured correctly.
Feature support
For Looker to support some features, your database dialect must also support them.
Microsoft SQL Server 2008+ supports the following features as of Looker 26.2:
| Feature | Supported? |
|---|---|
| Looker (Google Cloud core) | |
| Symmetric aggregates | |
| Derived tables | |
| Persistent SQL derived tables | |
| Persistent native derived tables | |
| Stable views | |
| Query killing | |
| SQL-based pivots | |
| Timezones | |
| SSL | |
| Subtotals | |
| JDBC additional params | |
| Case sensitive | |
| Location type | |
| List type | |
| Percentile | |
| Distinct percentile | |
| SQL Runner Show Processes | |
| SQL Runner Describe Table | |
| SQL Runner Show Indexes | |
| SQL Runner Select 10 | |
| SQL Runner Count | |
| SQL Explain | |
| OAuth 2.0 credentials | |
| Context comments | |
| Connection pooling | |
| HLL sketches | |
| Aggregate awareness | |
| Incremental PDTs | |
| Milliseconds | |
| Microseconds | |
| Materialized views | |
| Period-over-period measures | |
| Approximate count distinct |
Microsoft SQL Server 2016 supports the following features as of Looker 26.2:
| Feature | Supported? |
|---|---|
| Looker (Google Cloud core) | |
| Symmetric aggregates | |
| Derived tables | |
| Persistent SQL derived tables | |
| Persistent native derived tables | |
| Stable views | |
| Query killing | |
| SQL-based pivots | |
| Timezones | |
| SSL | |
| Subtotals | |
| JDBC additional params | |
| Case sensitive | |
| Location type | |
| List type | |
| Percentile | |
| Distinct percentile | |
| SQL Runner Show Processes | |
| SQL Runner Describe Table | |
| SQL Runner Show Indexes | |
| SQL Runner Select 10 | |
| SQL Runner Count | |
| SQL Explain | |
| OAuth 2.0 credentials | |
| Context comments | |
| Connection pooling | |
| HLL sketches | |
| Aggregate awareness | |
| Incremental PDTs | |
| Milliseconds | |
| Microseconds | |
| Materialized views | |
| Period-over-period measures | |
| Approximate count distinct |
Microsoft SQL Server 2017+ supports the following features as of Looker 26.2:
| Feature | Supported? |
|---|---|
| Looker (Google Cloud core) | |
| Symmetric aggregates | |
| Derived tables | |
| Persistent SQL derived tables | |
| Persistent native derived tables | |
| Stable views | |
| Query killing | |
| SQL-based pivots | |
| Timezones | |
| SSL | |
| Subtotals | |
| JDBC additional params | |
| Case sensitive | |
| Location type | |
| List type | |
| Percentile | |
| Distinct percentile | |
| SQL Runner Show Processes | |
| SQL Runner Describe Table | |
| SQL Runner Show Indexes | |
| SQL Runner Select 10 | |
| SQL Runner Count | |
| SQL Explain | |
| OAuth 2.0 credentials | |
| Context comments | |
| Connection pooling | |
| HLL sketches | |
| Aggregate awareness | |
| Incremental PDTs | |
| Milliseconds | |
| Microseconds | |
| Materialized views | |
| Period-over-period measures | |
| Approximate count distinct |
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-18 UTC.