Linked Server Double Hop - not working like all others

  • uk00121

    Mr or Mrs. 500

    Points: 575

    Setting up a linked server just like we do throughout the organization and for some reason this one is not behaving.  We are trying to migrate to newer servers/versions, but the project is not ready to move all apps at the same time.  Current linked servers all use local SQL accounts "be made using this security context" which our Security office no longer approves.  We are changing to "be made using the login's current security context" for domain account only.

    ServerA is Windows 2008R2 using SQL 2008 in old domain

    ServerB is Windows 2016 using SQL 2017 in new domain

    Dom1\ServerA linking to Dom2\ServerB - fails with NT Authority\Anonymous error

    Dom2\ServerB linking to Dom1\ServerA - works fine

    SPN registered for both respective service accounts (ServerA:1433 and ServerA.dom1.com:1433)

    Dom1\SA_ServerA set for kerberos delegation in AD

    Dom2\SA_ServerB set for kerberos delegation in AD

    Dom1\SA_ServerA has explicit Allow Log on Locally right

    Dom1\SA_ServerA has been made local admin on server as well as sysadmin in SQL for testing.

    AD\User1 confirmed making kerberos connection, not NTLM (SPN good)

    When remoting onto ServerA, the link works fine (no firewall, good data source), but also single hop

    Two way trust between domains.

    Linked server using local SQL account works for POC (but not allowed as solution)

    Other than SPN and Delegation, where else should/can I be looking?

  • Site Owners

    SSC Guru

    Points: 80376

    Thanks for posting your issue and hopefully someone will answer soon.

    This is an automated bump to increase visibility of your question.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply