Post reply

Configuring Kerberos Authentication on a SQL 2005 server running on Windows 2008 Cluster

  • June 23, 2009 at 8:11 am

    #205783

    The situation is quite simple in theory, we are putting in a new MOSS solution which as part of the specs requested we need to use Kerberos authentication on the SQL comms.

    Our SQL 2005 server is running on a Windows 2008 Cluster, so far we have not had to configure Kerberos except for now. We have two separate instances running on the SQL Cluster. Generally speaking the two instances run on different nodes giving an Active-Active configuration, (Server specs are high enough so either node could run both instances with no noticeable service degradation.

    So the setup SQL-wise is like this;

    SQLNODE1 -WIN2K8 Physical Node

    SQLNODE2 - WIN2K8 Physical Node

    SQL1 - Virtual Name (Cluster Resource)

    SQL2 - Virtual Name (Cluster Resource)

    SQL1:INSTANCE1 - SQL Server instance 1

    SQL2:INSTANCE2 - SQL Server Instance 2

    We have done the theoriticals afaik, however still do not seem to be using anything but NTLM for all connections. e.g. SetSPN -A MSSQLSvc/SQL1.domain.local:INSTANCE1 SQL_Server_ServiceAccount

    I have moved the instances between the nodes to ensure the SPN changes are asserted on the cluster.

    Are there additional steps that are required in SQL?

    In this configuration how many SPNs should I have?

    From my understanding seems to imply the following would be sufficient, is this so?

    MSSQLSvc/SQL1.domain.local SQL_Server_ServiceAccount

    MSSQLSvc/SQL1.domain.local:INSTANCE1 SQL_Server_ServiceAccount

    Many thanks,

    Rob

  • June 23, 2009 at 8:43 am

    #1013999

    There coule be a SPN issue here:

    Check this out for Quick answer: http://blogs.msdn.com/darwin/archive/2005/10/19/482593.aspx

    Maninder
    www.dbanation.com

  • June 23, 2009 at 9:31 am

    #1014039

    I 'think' it might be working.

    When I connect in from another server I can see in promising looking events in the eventlog

    EventData

    SubjectUserSid S-1-0-0

    SubjectUserName -

    SubjectDomainName -

    SubjectLogonId 0x0

    TargetUserSid S-1-5-21-1234567890-123456789-123456789-1234

    TargetUserName SQLNODE1$

    TargetDomainName DOMAIN

    TargetLogonId 0x4720ca8

    LogonType 3

    LogonProcessName Kerberos

    AuthenticationPackageName Kerberos

    WorkstationName

    LogonGuid {1XXX12XX-XXXX-XXXX-XXXX-XXXXXXXX}

    TransmittedServices -

    LmPackageName -

    KeyLength 0

    ProcessId 0x0

    ProcessName -

    IpAddress 10.123.45.67

    IpPort 55825

    How does this look?

    Rob

  • June 23, 2009 at 10:39 am

    #1014098

    looks fine.

    Also check to see on the SQL instance that the user is shown with proper kerberos auth in sys.sm_exec_connections.

    Maninder
    www.dbanation.com

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply