Post reply

AGs: Linked Servers and Kerberos

  • July 25, 2025 at 10:44 am

    #4626942

    Hey,

    When connecting SSMS using the AG name, it never works. Creating the linked server returns 'ANONYMOUS LOGON' error when using 'current security context' option.

    And this returns 'NTLM'

    SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid

     

    Connecting to the real server instances works fine, and shows 'KERBEROS' for the auth scheme query. But even once they are created, navigating them from the AG name in SSMS fails to return all the catalogs - just returns 'default'.

    Thanks

  • July 25, 2025 at 10:53 am

    #4626947

    you need to setup delegation between the endpoints, the account details have to be delegated to the remote endpoint, first make sure all SPNs are correct, then setup the account delegation

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" 😉

  • July 25, 2025 at 11:00 am

    #4626954

    yeah that's been done:

    source and target SQL use AD domain user for SQL services (though not the same account) - these accounts have appropriate delegation enabled and correct SPNs, including the AGL names. These are what I usually do:

    setspn.exe -s MSSQLSvc/<FQDN>:<Instance Name> <Domain>\<Account Name>

    setspn.exe -s MSSQLSvc/<FQDN>:<Port> <Domain>\<Account Name>

    setspn.exe -s MSSQLSvc/<NetBIOS Name>:<Instance Name> <Domain>\<Account Name>

    setspn.exe -s MSSQLSvc/<NetBIOS Name>:<Port> <Domain>\<Account Name>

    setspn.exe -s MSSQLSvc/<AGL FQDN>:<Port> <Domain>\<Account Name>

    setspn.exe -s MSSQLSvc/<AGL NetBIOS Name>:<Port> <Domain>\<Account Name>

    And it works when connecting to the real server instances from remote SSMS. Just not when using the AGL name.

  • July 25, 2025 at 11:19 am

    #4626970

    download the Kerberos configuration manager tool and run it, it will provide a report of what it finds

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" 😉

  • July 25, 2025 at 6:31 pm

    #4627093

    on top of setting up kerberos delegation - this now needs to be "constrained delegation" - unconstrained will no longer work due to security changes

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply