diff --git a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/sql-server-ad-pkinit.mdx b/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/sql-server-ad-pkinit.mdx
index 9488b00148528..a49beca8985e3 100644
--- a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/sql-server-ad-pkinit.mdx
+++ b/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/sql-server-ad-pkinit.mdx
@@ -189,7 +189,7 @@ following PowerShell script on your Windows instance:
```powershell
$WindowsDERFile = $env:TEMP + "\windows.der"
$WindowsPEMFile = $env:TEMP + "\windows.pem"
-certutil "-ca.cert" $WindowsDERFile
+certutil "-ca.cert" $WindowsDERFile
certutil -encode $WindowsDERFile $WindowsPEMFile
$CA_CERT_PEM = Get-Content -Path $WindowsPEMFile
@@ -219,6 +219,16 @@ database section below as appropriate:
- `spn`: Service Principal Name (SPN) for SQL Server to fetch Kerberos tickets.
- `kdc_host_name`: SPN of the domain controller responsible for providing the LDAP CA.
- `ldap_cert`: The contents of the LDAP CA previously exported.
+- `ldap_service_account_name`: Name of the service account Teleport uses to query LDAP for user SIDs.
+- `ldap_service_account_sid`: SID corresponding to the specified `ldap_service_account_name`.
+
+
+ Teleport will attempt to authenticate to LDAP with `ldap_service_account_name` username using x509 certificate issued
+ with the Teleport CA. LDAP should trust this certificate thanks to the previous step ("Publish the Teleport CA").
+
+ We encourage the use of service account with minimal privileges. To perform the mapping,
+ Teleport needs access to `objectSid`, `sAMAccountName` and `sAMAccountType` attributes.
+
```yaml
version: v3
@@ -247,6 +257,8 @@ db_service:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
+ ldap_service_account_name: "DEV\svc-teleport"
+ ldap_service_account_sid: "S-1-5-21-1111111111-2222222222-3333333333-4444"
```
@@ -343,6 +355,15 @@ that the KDC hostname is wrong. You can verify your domain controller’s SPN to
see if they’re set correctly and update the value on the field `kdc_hostname` on
your database's configuration.
+### PKINIT authentication fails due to missing SID
+
+If PKINIT authentication fails and the Teleport Database Service logs show errors related to a missing user SID or failed LDAP queries,
+verify that the `ldap_service_account_name` and `ldap_service_account_sid` fields are correctly set in your database configuration.
+
+Verify that there are no errors due to invalid certificate in `ldap_cert` field.
+
+Ensure that the service account exists, has correct name and SID and has access to specified attributes.
+
### Teleport cannot verify database CA
If your database has a CA that Teleport doesn’t know about, it will return the
diff --git a/docs/pages/includes/config-reference/database-config.yaml b/docs/pages/includes/config-reference/database-config.yaml
index bb7ba1f0e7a96..be80ab1cdd55c 100644
--- a/docs/pages/includes/config-reference/database-config.yaml
+++ b/docs/pages/includes/config-reference/database-config.yaml
@@ -191,6 +191,11 @@ db_service:
spn: MSSQLSvc/ec2amaz-4kn05du.dbadir.teleportdemo.net:1433
# Optional path to Kerberos configuration file. Defaults to /etc/krb5.conf.
krb5_file: /etc/krb5.conf
+ # Name of the service account Teleport uses to perform LDAP queries for retrieving user SIDs.
+ ldap_service_account_name: "svc-teleport"
+ # SID of the above service account. Teleport uses this to authenticate LDAP queries.
+ # Also required for PKINIT if the user SID must be included in the certificate.
+ ldap_service_account_sid: "S-1-5-21-1111111111-2222222222-3333333333-4444"
# Optional configuration for Azure hosted databases.
azure: