December 3, 2013 at 10:39 am
We're setting up DNS Aliasing on one of our SQL Servers, but I'm unable to get Kerberos to work from the hop from Reporting Services to the Database Service.
Originally it wasn't working from SSIS so I ran this (changed server/account names for example):
setspn -S MSSQLSvc/Server1.mydomain.com:13000 mydomain\SQLServerAccount
setspn -S MSSQLSvc/Server1.mydomain.com:MyInstance mydomain\SQLServerAccount
And after this SSIS worked like a boss. Problem though is Reporting Services is still not working. So I ran this:
setspn -S MSSQLSvc/Server1.mydomain.com:13000 mydomain\SQLReportAccount
setspn -S MSSQLSvc/Server1.mydomain.com:MyInstance mydomain\SQLReportAccount
setspn -A HTTP/Server1.mydomain.com mydomain\SQLReportAccount
And for the first two it said they were already added. Can you not have two different user names tied to the same SQL Instance? The third HTTP one ran fine, but after all this I'm still unable to get reports to work with the DNS ALias name... Kerberos fails and it tries to use NTLM authorization using anonymous account.
I even modified the SSRS Authentication Types to this then restarted, but no dice:
<AuthenticationTypes>
<RSWindowsNegotiate />
<RSWindowsKerberos />
<RSWindowsNTLM />
</AuthenticationTypes>
So any suggestions on how to get Reporting Services to work using an Alias DNS name ?
Thanks.
December 4, 2013 at 3:08 pm
Is Server1 the DNS alias name?
The probability of survival is inversely proportional to the angle of arrival.
December 5, 2013 at 6:06 am
Reporting Services is HTTP for a service, not SQL.
Make sure the SSRS service account is trusted for delegation, as well as the machine it is running on.
If possible, you may want to get it working first, before you start messing with aliases.
I'm no DNS expert, but I recall those are just pointer records.
You also may want to read Brian's Article [/url]and see if that helps.
December 9, 2013 at 2:01 pm
Hi everyone,
Sorry for the late reply... SSRS is working without issue, and I can connect to the Report Server via the DNS Alias (http://[DNS Alias]/ReportManager for example) and browse to any report I want without issue. The problem is when a report is ran where it has the DNS Alias in the connection string using Integrated Security the Kerberos authentication fails when hopping from SSIS service to Data Engine so it falls back to the Anonymous account and NTLM. So it's not an HTTP issue as far as I can tell, but definitely correct me if I'm missing something.
sturner (12/4/2013)
Is Server1 the DNS alias name?
No, I just used 'Server1' in my example.
Thanks,
Sam
December 9, 2013 at 6:24 pm
SQL Server runs MSSQL Service, and needs to be registered to the machine and service.
Reporting Services runs HTTP service on a machine.
Unsure from your description if these are running on the same or different machines, but with Kerberos, it is an account and service being registered.
Same with SSAS.
Not sure where SSIS is coming into the picture.
My experience is that the DNS Alias was something we took care of with pointer records in DNS. Something like an A and B record.
Did you read Brian's article?
December 16, 2013 at 9:16 am
Greg Edwards-268690 (12/9/2013)
SQL Server runs MSSQL Service, and needs to be registered to the machine and service.Reporting Services runs HTTP service on a machine.
Unsure from your description if these are running on the same or different machines, but with Kerberos, it is an account and service being registered.
Same with SSAS.
Not sure where SSIS is coming into the picture.
My experience is that the DNS Alias was something we took care of with pointer records in DNS. Something like an A and B record.
Did you read Brian's article?
What's the URL to Brian's article? I must have missed it.
Also SSRS is running on the same server as the SQL Engine, and I brought up SSIS because it makes a similar hop from the SSIS service to SQL Engine and works fine.
Thanks
December 16, 2013 at 12:41 pm
samalex (12/16/2013)
Greg Edwards-268690 (12/9/2013)
SQL Server runs MSSQL Service, and needs to be registered to the machine and service.Reporting Services runs HTTP service on a machine.
Unsure from your description if these are running on the same or different machines, but with Kerberos, it is an account and service being registered.
Same with SSAS.
Not sure where SSIS is coming into the picture.
My experience is that the DNS Alias was something we took care of with pointer records in DNS. Something like an A and B record.
Did you read Brian's article?
What's the URL to Brian's article? I must have missed it.
Also SSRS is running on the same server as the SQL Engine, and I brought up SSIS because it makes a similar hop from the SSIS service to SQL Engine and works fine.
Thanks
If you scroll back up to my earliest post, Brian's Article is a hyper link.
Be sure you understand MSSQLSvc and IIS need to be associated to the corresponding SQL and SSRS accounts.
I don't think you need a port for IIS.
And if they are on the same machine, you should not need Kerberos Delegation - there is no hop involved.
Although I am not a network admin, you might just need to make sure there is a pointer record in AD DNS.
We did this, and only set SPN's with real server names to the accounts / services.
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply