August 20, 2018 at 3:34 am
Morning Guys,
I am trying to solve the dreaded double-hop issue, whereby I have an SSIS Package on one server that is collecting data from a 3rd server via the 2nd server. Hops 1-2-2-3.
Having read a fair bit regarding SPNs (and whilst not fully confident I know what I am talking about) I think the problem for me might be duplicate SPN registered. But not strictly duplicate. As follows:
ComputerName : ALEX3004
Specification :
ServiceClass : MSSQLSvc
sAMAccountName : svc_sql
SPN : MSSQLSvc/ALEX3004.MyDomain.local
ComputerName : ALEX3004
Specification : 1433
ServiceClass : MSSQLSvc
sAMAccountName : svc_sql
SPN : MSSQLSvc/ALEX3004.MyDomain.local:1433
Do these two similar SPN's count as a duplicate? One has a Port Number registered and the other doesn't? Does that constitute duplication?
I have exactly the same kind of registration for the other server:
ComputerName : ALEX1004
Specification : 1433
ServiceClass : MSSQLSvc
sAMAccountName : svc_sql
SPN : MSSQLSvc/ALEX1004.MyDomain.local:1433
ComputerName : ALEX1004
Specification :
ServiceClass : MSSQLSvc
sAMAccountName : svc_sql
SPN : MSSQLSvc/ALEX1004.MyDomain.local
As always help is appreciated 🙂
Cheers
Alex
August 20, 2018 at 4:05 am
Hi- that's normal (i.e. not a duplicate).
August 20, 2018 at 4:44 am
Cheers Beatrix.
So, with that, does that look like my double hop problem is unrelated to the SPN's - I suppose more info is needed to answer that. Which I am still looking into.
August 20, 2018 at 5:30 am
It could still be a Kerberos issue. Are you using the same account across all the servers? (I warn you now, my SSIS skills suck so I might not get much further with this :D.)
August 20, 2018 at 6:27 am
yes same account to run all the sql servers in this domain
and the ssis connection is set to integrated security
August 20, 2018 at 7:08 am
However, get-aduser tells me that:
TrustedForDelegation : False
TrustedToAuthForDelegation : False
I think that means before the SPN's even begin to matter I need to at least have that account set for constrained delegation?
August 25, 2018 at 3:28 pm
I have been working a similar issue with Linked Servers :(.
Here is what I have so far.
about half way down the article details a Kerberos configuration using Constrained Delegation, Linked Servers and Multi Hop.
Here are a few SQL oriented, Kerberos references that may help.
The IT Admins have set all this up for me so I can't get into a lot of detail. So far all my server connections default to Kerberos but I have not had time to get back to testing the Linked Servers.
HTH
August 28, 2018 at 12:51 pm
You posted the SPNs, but what about delegation? With Kerberos double-hop issues it is both SPNs and the delegation to those SPNs that you have to look into. In your scenario if the account (service account or computer account) running the service on the second server that will be passing the credentials to the third server does not have delegation setup then Kerberos will fail and the request will fall back on NTLM, which is where you get your double-hop issue.
Can you post the SPNs for all the services involved along with the delegation between them?
Joie Andrew
"Since 1982"
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply