July 25, 2025 at 10:44 am
Hey,
When connecting SSMS using the AG name, it never works. Creating the linked server returns 'ANONYMOUS LOGON' error when using 'current security context' option.
And this returns 'NTLM'
SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid
Connecting to the real server instances works fine, and shows 'KERBEROS' for the auth scheme query. But even once they are created, navigating them from the AG name in SSMS fails to return all the catalogs - just returns 'default'.
Thanks
July 25, 2025 at 10:53 am
you need to setup delegation between the endpoints, the account details have to be delegated to the remote endpoint, first make sure all SPNs are correct, then setup the account delegation
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
July 25, 2025 at 11:00 am
yeah that's been done:
source and target SQL use AD domain user for SQL services (though not the same account) - these accounts have appropriate delegation enabled and correct SPNs, including the AGL names. These are what I usually do:
setspn.exe -s MSSQLSvc/<FQDN>:<Instance Name> <Domain>\<Account Name>
setspn.exe -s MSSQLSvc/<FQDN>:<Port> <Domain>\<Account Name>
setspn.exe -s MSSQLSvc/<NetBIOS Name>:<Instance Name> <Domain>\<Account Name>
setspn.exe -s MSSQLSvc/<NetBIOS Name>:<Port> <Domain>\<Account Name>
setspn.exe -s MSSQLSvc/<AGL FQDN>:<Port> <Domain>\<Account Name>
setspn.exe -s MSSQLSvc/<AGL NetBIOS Name>:<Port> <Domain>\<Account Name>
And it works when connecting to the real server instances from remote SSMS. Just not when using the AGL name.
July 25, 2025 at 11:19 am
download the Kerberos configuration manager tool and run it, it will provide a report of what it finds
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
July 25, 2025 at 6:31 pm
on top of setting up kerberos delegation - this now needs to be "constrained delegation" - unconstrained will no longer work due to security changes
Viewing 5 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply