SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


A brief explanation and solution for the Double Hop problem


A brief explanation and solution for the Double Hop problem

Author
Message
osgcurt
osgcurt
Grasshopper
Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)

Group: General Forum Members
Points: 20 Visits: 86
My problem as a consultant is finding an AD admin that even knows what an SPN is, much less understanding how they work with applications like MSCRM, Share Point and Business Portal.

Sometimes I do not see an SPN for the default instance but there are SPNs for subsequent instances. It's the result of using accounts for the services that do not have the right to create the attributes in the LDAP database.
Kenneth Fisher
Kenneth Fisher
SSCertifiable
SSCertifiable (6.4K reputation)SSCertifiable (6.4K reputation)SSCertifiable (6.4K reputation)SSCertifiable (6.4K reputation)SSCertifiable (6.4K reputation)SSCertifiable (6.4K reputation)SSCertifiable (6.4K reputation)SSCertifiable (6.4K reputation)

Group: General Forum Members
Points: 6377 Visits: 2060
ALZDBA (12/13/2011)
Just today I've seen a tweet pointing to a delegation troubleshooting blog:

http://blogs.msdn.com/b/sqlserverfaq/archive/2011/12/12/troubleshooting-kerberos-delegation-using-delegconfig.aspx


Unless I'm missing something it looks more like an advertisement for something called DelegConfig. I don't now anything about the tool or its usefulness though.

Kenneth FisherI strive to live in a world where a chicken can cross the road without being questioned about its motives.--------------------------------------------------------------------------------For better, quicker answers on T-SQL questions, click on the following... http://www.sqlservercentral.com/articles/Best+Practices/61537/For better answers on performance questions, click on the following... http://www.sqlservercentral.com/articles/SQLServerCentral/66909/Link to my Blog Post --> www.SQLStudies.com
Greg Edwards-268690
Greg Edwards-268690
SSCarpal Tunnel
SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)

Group: General Forum Members
Points: 4276 Visits: 8594
osgcurt (12/29/2011)
My problem as a consultant is finding an AD admin that even knows what an SPN is, much less understanding how they work with applications like MSCRM, Share Point and Business Portal.

Sometimes I do not see an SPN for the default instance but there are SPNs for subsequent instances. It's the result of using accounts for the services that do not have the right to create the attributes in the LDAP database.



I would expect, as a consultant, you would be able to 'guide' any domain administrator with setting this up.
That 'problem' might be part of why someone might use a consultant.
Don't complain too loudly about this.:-D

Very few accounts have the ability to write information to AD.
And running a service under an account that can do this might open up some security holes.
Not a best practice.
NT Authority System comes to mind, along with SQL Injection.
Greg Edwards-268690
Greg Edwards-268690
SSCarpal Tunnel
SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)

Group: General Forum Members
Points: 4276 Visits: 8594
Kenneth.Fisher (12/29/2011)
ALZDBA (12/13/2011)
Just today I've seen a tweet pointing to a delegation troubleshooting blog:

http://blogs.msdn.com/b/sqlserverfaq/archive/2011/12/12/troubleshooting-kerberos-delegation-using-delegconfig.aspx


Unless I'm missing something it looks more like an advertisement for something called DelegConfig. I don't now anything about the tool or its usefulness though.


Maybe you should take a closer look. I think you are missng something.
osgcurt
osgcurt
Grasshopper
Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)

Group: General Forum Members
Points: 20 Visits: 86
Yes,I've seen that enough as well. I see both sides of the security mirror. Often I've been in an IT department with very experienced folks and DBAs and they tell me they have never heard of delegation issues. I blame the "VENDOR" for not educating the professionals.

Some of the deployment guides are very general and scanty. A friend of mine, Mark gives a great talk on Windows Logins which is way past the "logging into the machine" stage.

He is way into the packet area of the subject.
A few years back, we had many double hop Kerberos issues on SQL based application servers.
His talks really helped me understand the issues.

Seems I learn something new everyday from some one here or some place else.
Kenneth Fisher
Kenneth Fisher
SSCertifiable
SSCertifiable (6.4K reputation)SSCertifiable (6.4K reputation)SSCertifiable (6.4K reputation)SSCertifiable (6.4K reputation)SSCertifiable (6.4K reputation)SSCertifiable (6.4K reputation)SSCertifiable (6.4K reputation)SSCertifiable (6.4K reputation)

Group: General Forum Members
Points: 6377 Visits: 2060
In my opinion one of the largest problems DBAs have with server level security (Kerberos, Service Account permissions etc) is that it is "Server Level", meaning it's outside of SQL Server. Most DBAs I've met over the years have no interest in learning anything that isn't directly part of SQL. If it can't be updated using the SQL Server toolset then they don't want to mess with it. That is something for the "server guy/team".

Then on the other side, the server support people generally have no interest in learning (and probably with better justification) what the SQL Servers/Service Accounts need by way of security.

Because of that you only have the rare DBA who started as a server admin, or who becomes a server admin that will actually understand both sides of the puzzle. This of course means that what documentation there is, is directed to the server admins, and is much harder to understand for us poor DBAs.

When I went to the Pass Summit there was a session I had looked forward to seeing called "Windows Operating Systems Internals for Database Pros" by Brian Kelly. Unfortunately it was canceled. One of these days when I have some free time I'll have to see if he has it on line somewhere.

Kenneth FisherI strive to live in a world where a chicken can cross the road without being questioned about its motives.--------------------------------------------------------------------------------For better, quicker answers on T-SQL questions, click on the following... http://www.sqlservercentral.com/articles/Best+Practices/61537/For better answers on performance questions, click on the following... http://www.sqlservercentral.com/articles/SQLServerCentral/66909/Link to my Blog Post --> www.SQLStudies.com
osgcurt
osgcurt
Grasshopper
Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)

Group: General Forum Members
Points: 20 Visits: 86
I have a very intelligent friend who is a Server/systems/directory MVP.
At the MVP summit he makes a comment to me that MSSQL is just like a spread sheet, to me and one of the SQL MVPs.
We looked at him with disbelief. No WAY. My happenstance came from doing system and database work starting in the DBASE III Plus days and JCL/IBM QUERY on AS/400s. Getting the data processed and delivered seems like a logical pair like cooking the meal and serving it.

So I have often wondered why it was separated? We have better tools then ever to do it. But I guess I'm just an odd one out.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search