Configuring Kerberos Authentication

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » Article Discussions » Article Discussions by Author » Discuss Content Posted by Brian Kelley » Configuring Kerberos Authentication

86 posts, Page 9 of 9

«««5 6 7 8 9

Configuring Kerberos Authentication

Rate Topic

Display Mode

Topic Options

Author

Message

Leonel Umaña Araya

Posted Friday, March 25, 2011 10:02 AM

Forum Newbie

Group: General Forum Members
Last Login: Thursday, May 02, 2013 3:03 PM
Points: 8, Visits: 21

Few days ago, I had problems with connections using Kerberos.
Thanks Brian, your article help me a lot to understand all the behavior that involves SSPI

Leonel E. Umaña Araya
leo_umana@hotmail.com

Post #1084155

Carlton Leach

Posted Friday, March 25, 2011 11:04 AM

SSC Eights!

Group: General Forum Members
Last Login: Monday, May 20, 2013 6:52 AM
Points: 863, Visits: 1,022

Ludo Bernaerts (3/25/2011)

great article but I have a question.
I configured a sql instance like mentioned in the article and see all connections coming in with Kerberos auth.
However the connections coming from his own (sqlagent & OS) are still NTLM. What can be the cause of this?

1000 possible reasons...download kerbtray.exe from microsoft and see if tickets are getting passed successfully.

Carlton.

Post #1084215

Rich Weissler

Posted Friday, March 25, 2011 1:41 PM

SSCommitted

Group: General Forum Members
Last Login: Today @ 5:08 AM
Points: 1,566, Visits: 770

Absolutely wonderful article. This is what Friday should be like!
Two discoveries, and I apologize if they were in the article or someone already pointed them out and I missed them.
1. Obviously, the cluster name should be used for the server name in a cluster situation.
2. NTLM seems to be used for local connections, even when Kerberos is functionally available.

Post #1084331

Evil Kraig F

Posted Friday, March 25, 2011 6:03 PM

SSCertifiable

Group: General Forum Members
Last Login: Today @ 11:24 AM
Points: 5,678, Visits: 6,127

The timing on this re-print couldn't be better. Thanks!!!

- Craig Farrell

Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.

For better assistance in answering your questions | Forum Netiquette
For index/tuning help, follow these directions. |Tally Tables
Twitter: @AnyWayDBA

Post #1084395

K. Brian Kelley

Posted Saturday, March 26, 2011 12:23 AM

Keeper of the Duck

Group: Moderators
Last Login: Yesterday @ 1:55 PM
Points: 6,584, Visits: 1,789

Ludo Bernaerts (3/25/2011)

If this is on a cluster, then Kerberos is not guaranteed. A lot of connections will be via NTLM. Also, if you've only configured the SPNs with the ports, then Named Pipes isn't covered (or if you have a SQL Server 2005 instance, which doesn't include Kerberos support for Named Pipes) so if the local connections are being made that way, then you'll see NTLM also.

K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog |

LinkedIn | Twitter

Post #1084421

ebiramen

Posted Tuesday, May 08, 2012 2:22 AM

Forum Newbie

Group: General Forum Members
Last Login: Tuesday, May 14, 2013 12:51 AM
Points: 3, Visits: 169

Hi,
page 14 of your presentation "Security Enhancements in SQL Server 2008" suggests that
"Kerberos possible without SPN registered in AD"

could you pls point me towards a resource explaining how this works.

Many thanks
Erdöl Biramen
Senior DBA
ALSTOM / Switzerland

Post #1296281

« Prev Topic | Next Topic »

86 posts, Page 9 of 9

«««5 6 7 8 9

Permissions