SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


A brief explanation and solution for the Double Hop problem


A brief explanation and solution for the Double Hop problem

Author
Message
Kenneth.Fisher
Kenneth.Fisher
SSCarpal Tunnel
SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)

Group: General Forum Members
Points: 4268 Visits: 2031
Comments posted to this topic are about the item A brief explanation and solution for the Double Hop problem

Kenneth Fisher
I strive to live in a world where a chicken can cross the road without being questioned about its motives.
--------------------------------------------------------------------------------
For better, quicker answers on T-SQL questions, click on the following...
http://www.sqlservercentral.com/articles/Best+Practices/61537/
For better answers on performance questions, click on the following...
http://www.sqlservercentral.com/articles/SQLServerCentral/66909/

Link to my Blog Post --> www.SQLStudies.com
896949813
896949813
Grasshopper
Grasshopper (12 reputation)Grasshopper (12 reputation)Grasshopper (12 reputation)Grasshopper (12 reputation)Grasshopper (12 reputation)Grasshopper (12 reputation)Grasshopper (12 reputation)Grasshopper (12 reputation)

Group: General Forum Members
Points: 12 Visits: 0
After the <a href="http://www.ugg6canada.com/ugg-kids-classic-boots-c-4/"><strong>Ugg Kids Classic Boots</strong></a> renovation of the Canada Goose <a href="http://www.i-uggbootssale.net/kids-ugg-boots-c-12.html"><strong>Kids <a href="http://www.suprashoessale-uk.com/nike-shoes-sale-mens-air-max-2003-sale-c-86_92.html"><strong>Air Max 2003</strong></a> <a href="http://www.ugg6canada.com/"><strong>Ugg Boots <a href="http://www.ugg6canada.com/ugg-fox-fur-boots-c-40/"><strong>Ugg Fox Fur Boots</strong></a> Sale</strong></a> Ugg Boots Sale</strong></a> Solaris wife <a href="http://www.canadagoose-coats-sale.com/canada-goose-chateau-parka-c-2.html"><strong>Canada Goose Chateau Parka Online</strong></a> <a href="http://www.suprashoessale-uk.com/nike-shoes-sale-c-86.html"><strong>Nike Shoes Sale</strong></a> looks more youth and sports,Suitable for the urban womenlook great and stay warm. UGG classic tall boots, UGG classic <a href="http://www.i-uggbootssale.net/ugg-amberlee-boots-c-13.html"><strong>UGG Amberlee Boots Sale</strong></a> cardy boots, UGG classic short boots and <a href="http://www.i-uggbootssale.net/"><strong>Ugg Boots Store</strong></a> the style are always Continuously increasing, there will be <a href="http://www.canadagoose-coats-sale.com/canada-goose-banff-parka-c-1.html"><strong>Canada Goose Banff Parka Sale</strong></a> one is you like. All Supra Skytop Shoes - Supra Vaider Shoes - Supra Society Shoes at High Discount & High Quality. Welcome to Buy Supra Shoes in this Supra Shoes Sale season, Buy now! Atlantic Ugg Jimmy Choo Sora Black Boots <a href="http://www.canadagoose-coats-sale.com/"><strong>Canada Goose Coats</strong></a> makes you attractive and confident kangdaseo001post
896949813
896949813
Grasshopper
Grasshopper (12 reputation)Grasshopper (12 reputation)Grasshopper (12 reputation)Grasshopper (12 reputation)Grasshopper (12 reputation)Grasshopper (12 reputation)Grasshopper (12 reputation)Grasshopper (12 reputation)

Group: General Forum Members
Points: 12 Visits: 0
Ugg Boots Tall Classic Pink are Made of 100% premiun wool, so it's comfortable, the tall Timberland 6 Inch Boots Men href="http://www.boots2canada.com/ugg-boots-jimmy-choo-c-19/">Jimmy Choo Ugg Boots boots make Ugg Jimmy [b]Timberland Chukka Boots Sale Choo Timberland Boots Sale[/b] you look more elegant Ugg Boots Kids ugg australia amberlee boots Ugg Classic Boots Tall Chocolate are so cool and warm for you.Classic Ugg Kids style can match with Kids Ugg Boots href="http://www.boots2canada.com/ugg-fox-fur-boots-c-21/">Fox Fur Ugg Boots your jeans well and the top ed here Kids Ugg Boots now Atlantic Ugg Jimmy Choo Kaia Ugg Boots Canada Leopard Boots makes you attractive Ugg Boots Canada and confident. Mens Timberland 6 Inch Boots Black With White Timberland Words has great outside looking with the generous log pattern. High quality with premium full-grain waterproof leather and seam-sealed kangdaseo001post
stevehindmarsh
stevehindmarsh
SSC Eights!
SSC Eights! (914 reputation)SSC Eights! (914 reputation)SSC Eights! (914 reputation)SSC Eights! (914 reputation)SSC Eights! (914 reputation)SSC Eights! (914 reputation)SSC Eights! (914 reputation)SSC Eights! (914 reputation)

Group: General Forum Members
Points: 914 Visits: 584
One comment - 'Dynamic Ports being the default for named instances'. The port is only truly dynamic for the installation of SQL Server - once it's installed, the port number is static and does not change.

So SPNs and Kerberos will work fine with named instances and dynamic ports. You just need to identify the correct port number after installation is complete.



John.Sansom
John.Sansom
Right there with Babe
Right there with Babe (789 reputation)Right there with Babe (789 reputation)Right there with Babe (789 reputation)Right there with Babe (789 reputation)Right there with Babe (789 reputation)Right there with Babe (789 reputation)Right there with Babe (789 reputation)Right there with Babe (789 reputation)

Group: General Forum Members
Points: 789 Visits: 1558
Kenneth, an excellent effort at covering a challenging a topic. Good stuff!

One question I imagine other readers might have, "how would the implementation steps differ, if at all, were both ServerA and ServerB using the same SQL Server Service Account?".


John Sansom (@sqlBrit) | www.johnsansom.com
george sibbald
george sibbald
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10254 Visits: 13687
Kenneth, thanks for the article. couple of points: are you sure the SQL restart is necessary to get this working, and the error you will often see returned with the double hop scenario is 'cannot generate SSPI context'

Heres another good source on kerberos, linked servers and double hop

http://blogs.msdn.com/b/sql_protocols/archive/2006/08/10/694657.aspx.

Has anyone got this working when the first hop is to SQL server and the second to AD itself (i.e. an ADSI linked server set up)

---------------------------------------------------------------------
David Jackson
David Jackson
SSChasing Mays
SSChasing Mays (629 reputation)SSChasing Mays (629 reputation)SSChasing Mays (629 reputation)SSChasing Mays (629 reputation)SSChasing Mays (629 reputation)SSChasing Mays (629 reputation)SSChasing Mays (629 reputation)SSChasing Mays (629 reputation)

Group: General Forum Members
Points: 629 Visits: 1905
Kenneth

Very good article. A succinct way to get this to go.

For those that want a bit more depth, Brian Kelly wrote a good article at http://www.sqlservercentral.com/articles/Security/65169/

HTH

Dave J


http://glossopian.co.uk/
"I don't know what I don't know."
Franky Leeuwerck
Franky Leeuwerck
SSC-Addicted
SSC-Addicted (416 reputation)SSC-Addicted (416 reputation)SSC-Addicted (416 reputation)SSC-Addicted (416 reputation)SSC-Addicted (416 reputation)SSC-Addicted (416 reputation)SSC-Addicted (416 reputation)SSC-Addicted (416 reputation)

Group: General Forum Members
Points: 416 Visits: 490
Thanks for this brief overview !
Franky

Franky L.
nico van niekerk
nico van niekerk
SSC Rookie
SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)

Group: General Forum Members
Points: 43 Visits: 104
stevehindmarsh (12/9/2011)
One comment - 'Dynamic Ports being the default for named instances'. The port is only truly dynamic for the installation of SQL Server - once it's installed, the port number is static and does not change.

So SPNs and Kerberos will work fine with named instances and dynamic ports. You just need to identify the correct port number after installation is complete.


Not true. What you are referring to is that SS will try to reuse the current dynamic port, it never becomes 'static'. If it's available it will use it again. If it has been grabbed by another application, it will renegotiate, FTP-style, a new port. It is especially true if one restarts the SS service, or takes the server off-line.
Kenneth.Fisher
Kenneth.Fisher
SSCarpal Tunnel
SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)

Group: General Forum Members
Points: 4268 Visits: 2031
John.Sansom (12/9/2011)
Kenneth, an excellent effort at covering a challenging a topic. Good stuff!

One question I imagine other readers might have, "how would the implementation steps differ, if at all, were both ServerA and ServerB using the same SQL Server Service Account?".


While I have to admit I have never tried itmy understanding is that each instance of SQL Server must have a different service account for this to work.

Kenneth Fisher
I strive to live in a world where a chicken can cross the road without being questioned about its motives.
--------------------------------------------------------------------------------
For better, quicker answers on T-SQL questions, click on the following...
http://www.sqlservercentral.com/articles/Best+Practices/61537/
For better answers on performance questions, click on the following...
http://www.sqlservercentral.com/articles/SQLServerCentral/66909/

Link to my Blog Post --> www.SQLStudies.com
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search