Kerberos authentication Issue

  • Recently we changed our Active-Passive cluster to Active - Active (Multi Instance). After this change,some of the users were unable to use double Hop connection from (Server A --> Server B[Linked Server A]-->Client).

    I notice some strange behaviour like some logins supports Double Hop only some times

    All server and users are using Windows Domain accounts.

    We tried to reconfigure SPN as well as Delegation, restarted the SQL Service, but still double hop connections are not working

    Please advice

  • you created the SPNs for the virtual network name against the sql server service account?

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" 😉

  • Yes. we have created SPN for all the servers including Virtual server Name (Cluster)

    But I am confused with delegation settings, Do we need to set delegation for all the servers,including client

    (Client SQL Server) for Double hope?

    I am trying to access Server A ----> Server B (Linked Server A) ---> Client. Here i am getting this error

    Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

  • I am trying to access Server A ----> Server B (Linked Server A) ---> Client. Its working but some time getting this error

    Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. We have configured SPN correctly

    Please advice

  • CuriousDBA (11/8/2012)


    Yes. we have created SPN for all the servers including Virtual server Name (Cluster)

    what do you mean all servers? The only SQL Server SPNs should be the ones created for the virtualnetworkname against the service account.

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" 😉

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply