Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase «««56789

Configuring Kerberos Authentication Expand / Collapse
Author
Message
Posted Friday, March 25, 2011 10:02 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Wednesday, February 25, 2015 9:59 AM
Points: 9, Visits: 27
Few days ago, I had problems with connections using Kerberos.
Thanks Brian, your article help me a lot to understand all the behavior that involves SSPI



Leonel E. Umaña Araya
leo_umana@hotmail.com
Post #1084155
Posted Friday, March 25, 2011 11:04 AM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: 2 days ago @ 10:14 PM
Points: 868, Visits: 1,169
Ludo Bernaerts (3/25/2011)
great article but I have a question.
I configured a sql instance like mentioned in the article and see all connections coming in with Kerberos auth.
However the connections coming from his own (sqlagent & OS) are still NTLM. What can be the cause of this?


1000 possible reasons...download kerbtray.exe from microsoft and see if tickets are getting passed successfully.

Carlton.
Post #1084215
Posted Friday, March 25, 2011 1:41 PM
SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Tuesday, February 3, 2015 5:24 AM
Points: 1,863, Visits: 911
Absolutely wonderful article. This is what Friday should be like!
Two discoveries, and I apologize if they were in the article or someone already pointed them out and I missed them.
1. Obviously, the cluster name should be used for the server name in a cluster situation.
2. NTLM seems to be used for local connections, even when Kerberos is functionally available.
Post #1084331
Posted Friday, March 25, 2011 6:03 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Tuesday, February 3, 2015 12:47 PM
Points: 5,467, Visits: 7,658
The timing on this re-print couldn't be better. Thanks!!!


- Craig Farrell

Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.

For better assistance in answering your questions | Forum Netiquette
For index/tuning help, follow these directions. |Tally Tables

Twitter: @AnyWayDBA
Post #1084395
Posted Saturday, March 26, 2011 12:23 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Thursday, February 26, 2015 11:06 AM
Points: 6,628, Visits: 1,879
Ludo Bernaerts (3/25/2011)
great article but I have a question.
I configured a sql instance like mentioned in the article and see all connections coming in with Kerberos auth.
However the connections coming from his own (sqlagent & OS) are still NTLM. What can be the cause of this?


If this is on a cluster, then Kerberos is not guaranteed. A lot of connections will be via NTLM. Also, if you've only configured the SPNs with the ports, then Named Pipes isn't covered (or if you have a SQL Server 2005 instance, which doesn't include Kerberos support for Named Pipes) so if the local connections are being made that way, then you'll see NTLM also.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #1084421
Posted Tuesday, May 8, 2012 2:22 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Monday, April 28, 2014 1:12 PM
Points: 3, Visits: 189
Hi,
page 14 of your presentation "Security Enhancements in SQL Server 2008" suggests that
"Kerberos possible without SPN registered in AD"

could you pls point me towards a resource explaining how this works.

Many thanks
Erdöl Biramen
Senior DBA
ALSTOM / Switzerland

Post #1296281
Posted Monday, March 24, 2014 9:58 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Today @ 6:17 AM
Points: 1,170, Visits: 3,749
In the article, it states:
For a named instance, we typically only require two commands, because there isn't a case where a client is just connecting to the name of the server. For instance, let's assume we have a named instance called Instance2 listening on port 4444 on that same server using that same service account. In that case we'd execute the following commands:

SETSPN -A MSSQLSvc/MyDBServer:4444 MyDomain\SQLServerService
SETSPN -A MSSQLSvc/MyDBServer.mydomain.com:4444 MyDomain\SQLServerService

Isn't this command incorrect? The command is the same as a default instance.

Shouldn't this be:
SETSPN -A MSSQLSvc/MyDBServer:MyInstance:4444 MyDomain\SQLServerService
SETSPN -A MSSQLSvc/MyDBServer.mydomain.com:MyInstance:4444 MyDomain\SQLServerService


Michael L John
To properly post on a forum:
http://www.sqlservercentral.com/articles/61537/
Post #1554100
Posted Friday, January 30, 2015 8:58 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Friday, February 20, 2015 7:54 AM
Points: 1, Visits: 3
Hi Brain,

I have a problem here

I've configured everything correctly in my SCCM environment. And i used to connect the CAS database from a separate box(same domain) which has SSMS console installed in it. Now the problem is, whenever i try to run a query in CAS locally, it runs successfully. But when i connect the CAS database remotely and run the same query with the same login i used in CAS, it says the below error. This is happening from past 2 days only. :'(

Query ran :
select top 100 * from v_GS_WORKSTATION_STATUS

Error :

Msg 18456, Level 14, State 1, Line 1
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
OLE DB provider "SQLNCLI11" for linked server "abc.domain.com" returned message "Invalid connection string attribute".


I checked the SQL connection authentication information it says authenticated by kerberos.

136 2015-01-30 17:50:29.277 2015-01-30 17:50:29.280 domain\user TSQL KERBEROS servername Microsoft SQL Server Management Studio

But, another wierd information is i can successfully run the below query.

select * from vSMS_R_System

Pleaseeeeeeee helppp me......

Regards,
Jay
Post #1656286
« Prev Topic | Next Topic »

Add to briefcase «««56789

Permissions Expand / Collapse