Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

SQL Sandwiches

Sqlsandwiches is a tool for me to communicate what I have been learning to the SQL community.

Double Hop of Doom

I recently had to battle through THE DOUBLE HOP OF DOOOOOMMM!! It was a very rewarding experience and I think every DBA should battle this beast at one time or another in their career.


So what is a double hop?


Let's take a step back, what's a single hop?


mmmmmm hops

A single hop is where you have your SQL server (let's call it Server 1 for now) with a linked server (Server 2) set up. The hop is where you connect to your linked server. You "hop" from your local SQL instance to the linked server. Piece of cake.

Now the double hop is where you have a client connecting to Server 1 but wants to access the linked server (Server 2). This becomes a bit of a headache when you are using windows authorization. I was trying to access Server 2 from the client and kept getting the great "NT AUTHORITY\ANONYMOUS LOGON". After lots and lots of reading I realized it was more of a Active Directory issue than a SQL issue.  Here is the best article I've found that explains how this all works.

So how after battling active directory for a couple of days, I finally broke through the wall.

Here is what you need to know:

  • Figure out what an SPN is and how to use SETSPN (the above article does a great job)
  • Add an SPN for both servers
  • Add an SPN for your service account - (this is the one that got me)
  • Enable Delegation for your servers in AD
  • Enable Delegation for your SQL SERVICE ACCOUNT
  • restart SQL services.

It was a bit of a battle but we were able to break the anonymous wall and access the legendary linked server. Best advice - keep reading, keep playing with the SPNs.


Comments

Posted by Russ Riopelle on 21 June 2011

We have had this problem for a long time now and finally found something that looks promising.

Unfortunately this link (here) in the sentance below does not work for me?

Here is the best article I've found that explains how this all works.

Posted by david.bennett2 on 21 June 2011

My favorite part of the double hop conundrum comes from fact that I as DBA have no way to directly solve the problem because the Infrastructure folks who manage AD are not interested in enabling delegation because they are afraid it will open up a security hole. So instead I have to use SQL logins in my linked servers because, although Windows Authentication is the preferred method in all cases, I can't use it because of the double hop of doom.

Posted by Adam Mikolaj on 21 June 2011

@Russ - Sorry about that. I updated the link. Hope it helps.

@David - I 100% agree with you. Fortunately for me, my AD admin was very open to doing this since we have windows auth systems only. It was a good experience putting on the AD hat and working through this problem with our AD admin.

Leave a Comment

Please register or log in to leave a comment.