November 4, 2010 at 1:30 pm
Have a sql agent job that is trying to loop through a list of servers. I have added the SQL Agent account as a SYSADMIN on each remote Sql Server it's trying to query. Query looks like this.
------------------
SELECT q.*
FROM OPENROWSET('SQLNCLI', 'Server=SQL01;Trusted_Connection=yes;',
'Select.............. ') AS q
------------------
Error Message
Msg 18456, Level 14, State 1, Line 1
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Any ideas?
November 4, 2010 at 1:35 pm
Are all of the server startup services starting up with the same login, and what is the level of permissino for this login. We have over 200 servers talking amongst themselves this way. The startup service is a Domain Admin account and a sysadmin on each of the servers. In this configuration, the only issue we have has is when a DNS issue arises.
Steve Jimmo
Sr DBA
“If we ever forget that we are One Nation Under God, then we will be a Nation gone under." - Ronald Reagan
November 4, 2010 at 1:35 pm
It's a "too many steps for Windows authentication" problem. (There's a more formal name, but this one's more expressive.)
Natively, Windows can only pass authentication one step, e.g.: client to server, or server to server. It can't pass more than that, e.g.: client to server to another server.
Any time you see that anonymous login error, you're probably looking at this issue.
It can be solved. Look up "kerberos" online. Or use integrated security. Either one works.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
November 5, 2010 at 7:23 am
Agree with Gus. Check out this article[/url].
Jack Corbett
Consultant - Straight Path Solutions
Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
November 5, 2010 at 8:03 am
different accounts in the same domain group. the domain group is a sysadmin on each server.
November 5, 2010 at 8:07 am
Oh no, you said "kerberos". :w00t: I was afraid of that when I noticed no authentication was being passed but I was hoping it was something I could do differently in SQL Server to get around it.
Thanks for the feedback guys. Good article. I'll get it figured out.
November 5, 2010 at 8:10 am
As Gus said, it is a double-hop or multiple-hop issue which means you need to use Kerberos delegation in order to use trusted authentication with OPENROWSET.
Check out the article I linked to in my first post.
Edit: Oops you posted that you were checking that out while I was posting this. Please disregrad.
Jack Corbett
Consultant - Straight Path Solutions
Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply