March 5, 2019 at 2:38 pm
I'm having trouble with kerberos trying to run linked servers, getting spn issue. I know that SPN needs to be registered and then the svc account must have delegation rights... Is that all on sys admins where do we direct them to change that
I have a SQL Server that has a local system account...
Server name example: - psqldb.domain.com
running:
setson -q MSSQLSvc/psqldb.domain.com:1433
results:
MSSQLSvc/psqldb.domain.com
MSSQLSvc/psqldb.domain.com:1433
RestrictedKrbHost/psqldb.domain.com
This looks like a SPN is registered on the host....however when trying to initiate linked server using AD
My credentials to be passed from host psqldb.domain.com to host psqldb-op.domain.com getting an error.
Is there something the sysadmin needs to do in AD? What does he change ?
There isn't a AD service account since SQL Server is using local account to allow delegation...not Windows admin so not sure where to look/suggest.
--------------------------------------------------
...0.05 points per day since registration... slowly crawl up to 1 pt per day hopefully 😀
March 5, 2019 at 3:11 pm
My memory may be incorrect, but if not mistaken for double hop you do need to have a AD account - GMSA or MSA would be the best as no need to manage passwords.
If using a named instance SPN is also different - and you either register manually or need to grant the AD account read/write SPN permissions
March 5, 2019 at 4:26 pm
sqlsurfing - Tuesday, March 5, 2019 2:38 PMI'm having trouble with kerberos trying to run linked servers, getting spn issue. I know that SPN needs to be registered and then the svc account must have delegation rights... Is that all on sys admins where do we direct them to change thatI have a SQL Server that has a local system account...
Server name example: - psqldb.domain.comrunning:
setson -q MSSQLSvc/psqldb.domain.com:1433results:
MSSQLSvc/psqldb.domain.com
MSSQLSvc/psqldb.domain.com:1433
RestrictedKrbHost/psqldb.domain.comThis looks like a SPN is registered on the host....however when trying to initiate linked server using AD
My credentials to be passed from host psqldb.domain.com to host psqldb-op.domain.com getting an error.Is there something the sysadmin needs to do in AD? What does he change ?
There isn't a AD service account since SQL Server is using local account to allow delegation...not Windows admin so not sure where to look/suggest.
The issue depends on the error. Could you please post the full error message?
Sue
March 14, 2019 at 7:26 pm
Try running Kerberos Configuration Manager for SQL Server to validate your Kerberos settings. You need the MSSQLSvc SPNs registered to the SQL Server machine account in AD (as you're not using a domain service account) and the machine account needs to be trusted for delegation to allow it to delegate the Kerberos ticket to the second host in the double-hop. Kerberos COnfg Manager will check these things for you and provide a script to fix if issues are found.
Lastly, using a local system account will not let you authenticate beyond the boundary of that machine, so you will always end up as NT AUTHORITY\ANONYMOUS LOGON, you need to run the SQL Server service as a user who has access beyond the network boundary of that server. NETWORK SERVICE or a domain service account needs to be used to run the SQL instance to allow cross-machine Kerberos Authentication.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply