Jani Lane (3/18/2008)

---

Good day!

Don't know much about security, but I've created my web service function to return a dataset from SQL Server 2000. When I invoked the function it is giving me this error in the page although I can generate a dataset and connect to the db, only when invoking the web service that I'm getting this.

Need help please.

Thanks

rbarryyoung (3/22/2008)

---

In your case it is pretty clear what the problem is (not so clear for the OP, who had less detail). What you are running into is almost certainly the "Two Hop Rule", which is that under windows domain security, an impersonated security context cannot re-impersonate (that is, it cannot generate the same impersonation on another server).

This is relevant because when you connect from a client to the SQL Server, it impersonates you to generate the security context. In order to get to the linked server using Trusted connections, the security context of your server session would have to be re-impersonated on the target server, and that is not allowed. So even though you can connect directly from your client to both servers, you cannot connect from you client to the first server and then through that to the linked server, because that would be a two-hop impersonation.

The way to test to see if this is really the problem is to find a way to get a session on your SQL server without it having to be impersonated and then try to connect to the linked server from there. I know of two ways to do this:

1) Log on to your server at the console or through Remote Desktop, then run your client to connect to the SQL server on the same box; then connect through it to the Linked Server; it should work now. OR..

2) Write a stored procedure that tries to connect to the linked server and run it using the SQL Agent making sure the the Run As.. is set. (Actually, I am not sure that this still works under Sql2005..)

If you ask Microsoft, they will say that the solution to this problem is Kerberos, but I have yet to see anyone successfully use Kerberos to address this problem in a complex multi-domain corporate enterprise network.

The solution that everyone ends up using is SQL Logins for server-to-server communications. Not ideal, and not a secure as anyone would like, but it does work.

Marios Philippopoulos (3/24/2008)

---

Thank you!

This problem rears its ugly head in many different ways. It occurs when I attempt to open an SSRS report on my local workstation that connects through Windows auth. to a production instance and surveys user-database permissions. To resolve I need to create a special SQL login with sysadmin permissions on the instance! The alternative would be to map that login to EVERY single user database with db_datareader permissions, something hard to pull off logistically (and messy).

So at the moment I'm stuck with a less than ideal scenario, and I want to try the Kerberos-auth option...

There's a great document which details how to configure and troubleshoot Kerberos delegation related problems here (it's essential reading for CRM 3.0 configurations where all the tiers are on separate servers):

Troubleshooting Kerberos Delegation

Marios Philippopoulos (3/24/2008)

---

[quote]So at the moment I'm stuck with a less than ideal scenario, and I want to try the Kerberos-auth option...

rbarryyoung (3/26/2008)

---

Good luck. Make sure that you've got some good Networking & AD folks available.

rbarryyoung (3/26/2008)

---

On second thought, maybe you should just brung Brian along. ;)