Connect to linked server failed - double hop problem?

  • domenm

    Valued Member

    Points: 65

    Hello,
    I'm having trouble connection to remote server via linked server.

    Here is my configuration:
    A (my workstation, ssms client)
    B middle SQL server (linked server  --> C)
    C target SQL server

    So, when I connect to SQL server B from my laptop (ssms) and try to connect (test connection)  to linked server C from there I get the error:

    Here's what I have found so far:
    - If I RDP to server B directly, I can access linked server C with no problem - looks like typical double hop kerberos problem. 
    - SELECT net_transport, auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid;
        Returns 'TCP' and 'KERBEROS', so my session got kerberos auth.
    -  I'm using windows authentication. SPNs  seems so be registered correctly for SQL service accounts (B an C)
    setspn -L  returns SPNs for SQL service account:
      MSSQLSvc/*********:1433
      MSSQLSvc/*******.****.com:1433
    - Service accounts are set for unconstrained delegation   (selected option "Trust this user for delegation to any service (Kerberos Only)")
    - user account who is logged to laptop A has option "Account is sensitive and cannot be delegated" unchecked
    - Linked server is configured with “Be made using the login’s current security context” 

    So, regarding kerberos everything seems to be configured correctly, but the connection still doesn't work from my laptop.
    The most  interesting thing is that from my coworkers laptop the connection works fine!
    Both laptops use Windows 10,  SSMS v 17.9.1, we both login with Windows domain accounts.
    If I login to coworkers laptop with my username, it works, so it is not related with user account, but has something to do with some specific settings on my machine. Drivers?

    So, what I'm I missing here?
    Any ideas would be appreciated! Thanks!
    Regards,
    Domen

  • Super Cat

    SSCertifiable

    Points: 7314

    https://www.microsoft.com/en-gb/download/details.aspx?id=39046

    Try this is see what your problem is. It would seem to be a typical Kerberos issue.
    SPNs Delegation etc etc.

  • Super Cat

    SSCertifiable

    Points: 7314

    I believe you load it on the laptop not the SQL Server

  • domenm

    Valued Member

    Points: 65

    Hi Super Cat,
    thanks for your reply. We have already tried with  'Kerberos Configuration Manager', but it haven't found any issues.
    Actually, we have discovered what was causing the trouble - it was the Windows Defender Credential Guard, which is not compatible with Kerberos unconstrained delegation.
    Please see :
    https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-considerations and also 
    https://www.sqlservercentral.com/Forums/1876883/Linked-Servers-Windows-10-Credential-Guard

    Regards,
    Domen

  • Super Cat

    SSCertifiable

    Points: 7314

    'Windows Defender Credential Guard' Noted.

  • Super Cat

    SSCertifiable

    Points: 7314

    Googled it.
    https://searchenterprisedesktop.techtarget.com/definition/Microsoft-Windows-Defender-Credential-Guard

    Never heard of it. But know about it now.
    Every day is a school day.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply