Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

RS 2012, service domain account, can only get an NTLM login Expand / Collapse
Author
Message
Posted Thursday, May 16, 2013 10:23 PM


Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Thursday, August 14, 2014 11:35 PM
Points: 316, Visits: 1,140
Checking the security audit log on my reporting services box indicates that all connections are being made via NTLM. I need connections to be made via kerberos because I have integrated security data sources that point to other boxes. I've done this many times in 2005, 2008, 2008R2 and 2012, and I am going crazy trying to figure out what's wrong.

I have:

A sql server box called MySqlServer
reporting services service running as mydomain\myaccount
reporting services databases on a sql instance called MySqlServer\myInstance running as mydomain\myaccount (same account, I doubt this is relevant anyway)

mydomain\myaccount is trusted for delegation

sys.dm_exec_connections shows that connections to MySqlServer\myInstance are using kerberos.

setspn -l mydomain\myaccount includes the following output:
http/MySqlServer.mydomain.com.au
http/MySqlServer
mssqlsvc/MySqlServer.mydomain.com.au:mystaticport
mssqlsvc/MySqlServer:mystaticport

rsreportserver.config authentication is configured as follows:

<Authentication>
<AuthenticationTypes>
<RSWindowsNegotiate />
</AuthenticationTypes>
<RSWindowsExtendedProtectionLevel>Off</RSWindowsExtendedProtectionLevel>
<RSWindowsExtendedProtectionScenario>Proxy</RSWindowsExtendedProtectionScenario>
<EnableAuthPersistence>true</EnableAuthPersistence>
</Authentication>

I have restarted the reporting services service several times now. I simply cannot get a kerberos connection. But as far as I know, the above covers everything required for kerberos to be used. Anyone know of *anything* else that could be coming into play, no matter how crazy it may sound? Duplicate SPNs, something to do with subnets, datacenters, air speed of a fully laden swallow...


allmhuran.com - download the SSMSDeploy addin for SSMS 2008
Blog on sqlservercentral
Post #1453839
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse