January 14, 2009 at 1:10 pm
TRACEY,
I threw that out there as something else to consider since the 7314 states (either does not exist or current user does not have permission). It looks like Mike had checked the authentication piece pretty closely so a simple misspelling or whatnot seemed something worth checking.
Thanks for that link to that blog on MSDN. Using that article and Brian's advice I was able to get the double-hop scenario working without incident.
This was the configuration used; linked server on SQL1 to SQL2:
[Client1] -> [SQL1] -> [SQL2]
When you connect from [Client1] to [SQL1] using SQLCMD what's the authentication type show up as from sys.dm_exec_connections?
When you connect from [Client1] to [SQL2] using SQLCMD what's the authentication type show up as from sys.dm_exec_connections?
Have you verified your SPN's are setup correctly? Configuring Kerberos Authentication[/url]
January 14, 2009 at 1:20 pm
SQL1---SQL2
On SQL1 when i run my select * from linked...etc statement.
Im on the activity window and see the statement ID and see that this produces
I get
TCPTSQL19131924504FALSENTLM
(This is where im supposed to see kerbos instead of NTLM).
The SPN (Might need some more information as not sure what im supposed to check in AD
Would this be the domain\tracey user i check) ...
Okay it not working because i do not see the kerbos and it is using NTLM ......hmmm
now what have i missed got to be the SPN ? part...
Reading the other post now....(What domain\user are you using and how did you set this up)
SQL Server, AD , linked server part.
So close i can feel it.
January 15, 2009 at 7:28 am
I passed the thread to my systems group for the SPN AD part.
Now if this works and i see Kerbos - i am assuming that now most of the other connections coming in using DOMAIN\Username will be authenticated using kerbos which from the threads is quicker as it doesn't have to go back to AD everytime thats got to be better. Wonder if you could measure this to report that now transactions are authenticated quicker. Also if everything uses kerbos is there any problems that could arise that need to be understood.
Cheers everyone, i think once i have the SPN set up im good.
January 18, 2009 at 5:11 pm
I read entire posts and sent to my team but they not replied to the SPN.
I got little confused - the SPN you set up using the tool SETSPN and this is
name of your sqlserver and the sqlserver account that running sql.
If set up your see this by runnning SETSPN -L ?
For user domain\tracey (what do i do special in AD) or is the SETSPN that needs to be configured.
Cheers
January 18, 2009 at 8:10 pm
Perhaps this will help:
January 19, 2009 at 8:45 am
TRACEY,
I can't add much else that Kendal's blog or Brian's article on Kerberos hasn't covered so have a look at those again.
Depending on your domain functional level you'll find the delgation setting in one of two places. For Windows 2003, on the Delgation tab. For Windows 2000, on the Account tab.
Given the following diagram:
[PC1] -> [SQL1] -> [SQL2][DB1]
For delegation you would want to change the service account that runs SQL1. Your two choices would be to "trust this user for delegation to any service" or if you want to be selective and trust for specified services only, add the service account the runs SQL2.
But first make sure that PC1 can authenticate via KERBEROS to SQL1 and SQL2.
January 19, 2009 at 9:09 am
Tracey, have your AD administrator PM me and I can discuss it with him/her off-line. Sounds like there's just a simple misunderstanding or misconfiguration going on.
K. Brian Kelley
@kbriankelley
January 19, 2009 at 10:07 am
The two links kendal are not coming up...
January 19, 2009 at 10:18 am
Ok i got the links up from kendal.
Now from what im reading this is what i got to go check with AD people,
set the SQLServer account and the USER domain\tracey in AD and ensure the following is flagged
Trust this user for delegation to any service (kerbos).
Once that part is done in AD then go to the actual SQL Server and run the settings to set up the
SPN (which is the sql server name).
Ok i think some settings are not done.
Question when you set to trust this user for delegation = it has to be for both SQL Server and the particular user DOMAIN\tracey. Both must be set.
Is there any problems in just using (only kerbos)........i.e would all connections coming in now use kerbos if the SQL Server is set.
Sorry for so many questions guys.
January 19, 2009 at 10:24 am
How do i PM you ...thanks
January 19, 2009 at 10:40 am
TRACEY (1/19/2009)
Ok i got the links up from kendal.Now from what im reading this is what i got to go check with AD people,
set the SQLServer account and the USER domain\tracey in AD and ensure the following is flagged
Trust this user for delegation to any service (kerbos).
Once that part is done in AD then go to the actual SQL Server and run the settings to set up the
SPN (which is the sql server name).
Ok i think some settings are not done.
Question when you set to trust this user for delegation = it has to be for both SQL Server and the particular user DOMAIN\tracey. Both must be set.
Is there any problems in just using (only kerbos)........i.e would all connections coming in now use kerbos if the SQL Server is set.
Sorry for so many questions guys.
The user account SQL Server runs under has to be set up with the SPN and with delegation rights.
A user account which is being delegated (say, an end user), just has to NOT be blocked from delegation in AD. That's what Kendall's article is pointing out.
K. Brian Kelley
@kbriankelley
January 19, 2009 at 10:41 am
TRACEY (1/19/2009)
How do i PM you ...thanks
Click on my name to the left of the forum and post and you should see a pop-up menu which has an option to send a private message.
K. Brian Kelley
@kbriankelley
January 19, 2009 at 11:07 am
Oh i didn't know you could do that private messaging....thanks, let me pass the details to the
ad guys and i be back to let you know what they have changed or if i need to PM you.
Cheers
February 2, 2009 at 10:51 am
Guys
My LinkServer setup was working perfect with KERBEROS and today suddenly my connections from one of the servers failed. I am getting this error again.
Msg 18456, Level 14, State 1, Line 1
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
February 2, 2009 at 11:41 am
Was it a named instance?
K. Brian Kelley
@kbriankelley
Viewing 15 posts - 31 through 45 (of 46 total)
You must be logged in to reply to this topic. Login to reply