Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase «««56789

Configuring Kerberos Authentication Expand / Collapse
Author
Message
Posted Friday, March 25, 2011 10:02 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Monday, March 17, 2014 3:05 PM
Points: 8, Visits: 23
Few days ago, I had problems with connections using Kerberos.
Thanks Brian, your article help me a lot to understand all the behavior that involves SSPI



Leonel E. Umaña Araya
leo_umana@hotmail.com
Post #1084155
Posted Friday, March 25, 2011 11:04 AM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Thursday, September 11, 2014 11:01 AM
Points: 868, Visits: 1,134
Ludo Bernaerts (3/25/2011)
great article but I have a question.
I configured a sql instance like mentioned in the article and see all connections coming in with Kerberos auth.
However the connections coming from his own (sqlagent & OS) are still NTLM. What can be the cause of this?


1000 possible reasons...download kerbtray.exe from microsoft and see if tickets are getting passed successfully.

Carlton.
Post #1084215
Posted Friday, March 25, 2011 1:41 PM
SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Friday, September 12, 2014 8:51 AM
Points: 1,823, Visits: 902
Absolutely wonderful article. This is what Friday should be like!
Two discoveries, and I apologize if they were in the article or someone already pointed them out and I missed them.
1. Obviously, the cluster name should be used for the server name in a cluster situation.
2. NTLM seems to be used for local connections, even when Kerberos is functionally available.
Post #1084331
Posted Friday, March 25, 2011 6:03 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 5:16 PM
Points: 6,256, Visits: 7,435
The timing on this re-print couldn't be better. Thanks!!!


- Craig Farrell

Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.

For better assistance in answering your questions | Forum Netiquette
For index/tuning help, follow these directions. |Tally Tables

Twitter: @AnyWayDBA
Post #1084395
Posted Saturday, March 26, 2011 12:23 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Yesterday @ 8:57 AM
Points: 6,634, Visits: 1,872
Ludo Bernaerts (3/25/2011)
great article but I have a question.
I configured a sql instance like mentioned in the article and see all connections coming in with Kerberos auth.
However the connections coming from his own (sqlagent & OS) are still NTLM. What can be the cause of this?


If this is on a cluster, then Kerberos is not guaranteed. A lot of connections will be via NTLM. Also, if you've only configured the SPNs with the ports, then Named Pipes isn't covered (or if you have a SQL Server 2005 instance, which doesn't include Kerberos support for Named Pipes) so if the local connections are being made that way, then you'll see NTLM also.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #1084421
Posted Tuesday, May 8, 2012 2:22 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Monday, April 28, 2014 1:12 PM
Points: 3, Visits: 189
Hi,
page 14 of your presentation "Security Enhancements in SQL Server 2008" suggests that
"Kerberos possible without SPN registered in AD"

could you pls point me towards a resource explaining how this works.

Many thanks
Erdöl Biramen
Senior DBA
ALSTOM / Switzerland

Post #1296281
Posted Monday, March 24, 2014 9:58 AM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Yesterday @ 3:28 PM
Points: 959, Visits: 3,005
In the article, it states:
For a named instance, we typically only require two commands, because there isn't a case where a client is just connecting to the name of the server. For instance, let's assume we have a named instance called Instance2 listening on port 4444 on that same server using that same service account. In that case we'd execute the following commands:

SETSPN -A MSSQLSvc/MyDBServer:4444 MyDomain\SQLServerService
SETSPN -A MSSQLSvc/MyDBServer.mydomain.com:4444 MyDomain\SQLServerService

Isn't this command incorrect? The command is the same as a default instance.

Shouldn't this be:
SETSPN -A MSSQLSvc/MyDBServer:MyInstance:4444 MyDomain\SQLServerService
SETSPN -A MSSQLSvc/MyDBServer.mydomain.com:MyInstance:4444 MyDomain\SQLServerService


Michael L John
To properly post on a forum:
http://www.sqlservercentral.com/articles/61537/
Post #1554100
« Prev Topic | Next Topic »

Add to briefcase «««56789

Permissions Expand / Collapse