Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Lab - Vcloud - Kerberos not working Expand / Collapse
Author
Message
Posted Thursday, May 30, 2013 10:04 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Friday, August 29, 2014 1:34 PM
Points: 1,272, Visits: 582
We have a production environment that we have used to clone into our lab environment for testing. We are using Vcloud Director to host this virtual environment. In production all of our linked servers are using Kerberos for security to use logins own context. In our VCloud environment everything looks the same as production. The problem we are having is that everything looks good as far as SPN goes and in AD the sql server service account is running under an account that uses account delegation but we are still getting the error:
Msg 18456, Level 14, State 1, Line 1 Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
We tried to verify it is using kerberos with this query, "select net_transport, auth_scheme from sys.dm_exec_connections where session_id=@@spid". However in vcloud it returns NTLM, and production is returns Kerberos. We have tried a bunch of things and nothing seems to work. We rebooted machines, added and removed account delegation in AD, etc. Anyone else run into this?
Post #1458303
Posted Thursday, May 30, 2013 2:36 PM
Say Hey Kid

Say Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey Kid

Group: General Forum Members
Last Login: Thursday, August 28, 2014 6:16 AM
Points: 709, Visits: 1,418
If you open up a command prompt and run the following, what do you get?

setspn -L <domainName>\<accountName>

Where <domainName> is the pre-Windows 2000 naming convention for the domain (ex: Famicam) and <accountName> is the name of the service account that the SQL Server service account is running under (ex: svc.sql.server). So for example one would run:

setspn -L famicam\svc.sql.server

You should get entries back for the MSSQLSvc for your SQL server.

Are connections being made directly from an application to the database, or is there more hops involved? For example like with SSRS, a user hits a report server and then the report server can relay the credentials back to the SQL Server. Just curious because depending on how many hops there are there could be several layers of delegation between different accounts/services that need to be setup.


Joie Andrew
"Since 1982"
Post #1458463
Posted Thursday, May 30, 2013 2:47 PM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Friday, August 29, 2014 1:34 PM
Points: 1,272, Visits: 582
The servers were listed in the SETSPN -L. Somehow the problem is resolved, we still aren't sure how. We removed and registered some of the servers in DNS and removed some of the SPN and re-added, eventually we must have done the right thing. It is working for us now. Thanks for your help.
Post #1458465
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse