SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Kerberos authentication Issue


Kerberos authentication Issue

Author
Message
CuriousDBA
CuriousDBA
Grasshopper
Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)

Group: General Forum Members
Points: 13 Visits: 60
Recently we changed our Active-Passive cluster to Active - Active (Multi Instance). After this change,some of the users were unable to use double Hop connection from (Server A --> Server B[Linked Server A]-->Client).

I notice some strange behaviour like some logins supports Double Hop only some times

All server and users are using Windows Domain accounts.

We tried to reconfigure SPN as well as Delegation, restarted the SQL Service, but still double hop connections are not working

Please advice
Perry Whittle
Perry Whittle
SSC-Insane
SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)

Group: General Forum Members
Points: 20576 Visits: 17244
you created the SPNs for the virtual network name against the sql server service account?

-----------------------------------------------------------------------------------------------------------

"Ya can't make an omelette without breaking just a few eggs" ;-)
CuriousDBA
CuriousDBA
Grasshopper
Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)

Group: General Forum Members
Points: 13 Visits: 60
Yes. we have created SPN for all the servers including Virtual server Name (Cluster)

But I am confused with delegation settings, Do we need to set delegation for all the servers,including client
(Client SQL Server) for Double hope?

I am trying to access Server A ----> Server B (Linked Server A) ---> Client. Here i am getting this error

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
CuriousDBA
CuriousDBA
Grasshopper
Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)

Group: General Forum Members
Points: 13 Visits: 60
I am trying to access Server A ----> Server B (Linked Server A) ---> Client. Its working but some time getting this error

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. We have configured SPN correctly

Please advice
Perry Whittle
Perry Whittle
SSC-Insane
SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)

Group: General Forum Members
Points: 20576 Visits: 17244
CuriousDBA (11/8/2012)
Yes. we have created SPN for all the servers including Virtual server Name (Cluster)

what do you mean all servers? The only SQL Server SPNs should be the ones created for the virtualnetworkname against the service account.

-----------------------------------------------------------------------------------------------------------

"Ya can't make an omelette without breaking just a few eggs" ;-)
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search