Linked Servers & Windows 10 Credential Guard
-
Hello,
Does anybody know to configure Linked Servers to work with Windows 10 Credential Guard?
I get Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' after enabling Credential Guard on our clients.
I can no longer connect to the linked server from my Windows 10 client.
However, the connection works from Windows Server.
Linked Server is configured as:
@srvproduct=N'SQL Server'
@useself=N'True',@locallogin=NULL,@rmtuser=NULL,@rmtpassword=NULL
Regards,
/Fari -
I have no idea what Credential GUard is, but it looks like you are running into a standard double-hop issue...Client to Server to Server.
https://technet.microsoft.com/en-us/library/ms189580(v=sql.105).aspx------------------------------------------------------------------------------------------------Standing in the gap between Consultant and ContractorKevin3NFDallasDBAs.com/BlogWhy is my SQL Log File HUGE?!?![/url]The future of the DBA role...[/url]SQL Security Model in Plain English[/url]
- Kevin3NF - Thursday, May 18, 2017 12:20 PM
Hi Kevin,
Credential Guard is a new feature in Windows 10 Enterprise and Windows Server 2016 that prevents fishing, … feature we have enabled in our company.
https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard
We have a workaround now, by logging to server when developing, testing, … But it is not a solution. You can't even run a select from a client:Msg 18456, Level 14, State 1, Line 1
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
I haven’t tested the connection using SQL Server login, we don’t see that as an alternative solution.
I’m am going to test the connection from our Windows 2016 environment. It should not work there either.Regards,
Fari - fari.sah - Thursday, May 18, 2017 11:16 PM
Correct...please read the part of the linked doc where the AD account:
"The user Active Directory property, Account is sensitive and cannot be delegated, must not be selected."
Please verify this for the account you are connecting with from the client.
------------------------------------------------------------------------------------------------Standing in the gap between Consultant and ContractorKevin3NFDallasDBAs.com/BlogWhy is my SQL Log File HUGE?!?![/url]The future of the DBA role...[/url]SQL Security Model in Plain English[/url]
- Kevin3NF - Friday, May 19, 2017 5:51 AM
Hi,
Iused my domain admin account which has the correct properties. -
Did it work before Credential Guard was in place, when running queries from the client?
------------------------------------------------------------------------------------------------Standing in the gap between Consultant and ContractorKevin3NFDallasDBAs.com/BlogWhy is my SQL Log File HUGE?!?![/url]The future of the DBA role...[/url]SQL Security Model in Plain English[/url]
- Kevin3NF - Monday, May 22, 2017 5:57 AM
Yes Kevin, it did! We tested disabling Credential Cuard on a client and it worked as it did Before, so the problem is Credential Guard.
Regards
/Fari -
Best suggestion I have for you:
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations------------------------------------------------------------------------------------------------Standing in the gap between Consultant and ContractorKevin3NFDallasDBAs.com/BlogWhy is my SQL Log File HUGE?!?![/url]The future of the DBA role...[/url]SQL Security Model in Plain English[/url]
- Kevin3NF - Monday, May 22, 2017 6:53 AM
Thanks Kevin! I'll get back to you after checking this up 🙂
- fari.sah - Monday, May 22, 2017 7:38 AM
It could work if we disable the Credenial Guard on the PAW workstation/server. But we are looking for Another solution.
Regards /Fari
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply