May 30, 2008 at 10:49 am
Hi Everyone.
I am trying to set up a linked server between two 2005 servers.
My application logs in to the source server using SQL Authentication.
I have a Windows login set up on the target server.
How do I map my SQL account on the source server to the Windows account on the target box? I can't seem to get it working. Or can this not be done?
Thanks!
May 30, 2008 at 11:23 am
Windows domain authentication can't chain to more than one computer. What you have to do is use "Be made using the login's current security context.", and then set up "NT AUTHORITY\ANONYMOUS LOGON" as a login and user. MSDN has an article on the subject, but I can't remember the link.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
May 30, 2008 at 12:22 pm
You need to use Kerberos to pass Windows account credetials From client-to-server-to-server. (If that is what you want you should configure the linked server for delegation )
hth
* Noel
May 30, 2008 at 1:54 pm
I would be hesitant to add "NT AUTHORITY\ANONYMOUS LOGON" login to any SQL Server instance.
By doing this, you have essentially granted anyone rights to the information that this login has access to -- you've literally made it public. If you've got it locked down to execute permissions on specific procs, it is better, but setting up delegation is a superior solution.
Kyle
May 30, 2008 at 3:28 pm
My 0.2 cents on this:
If you are starting off connecting through SQL auth, save yourself the heartache and go with it all the way.
Setting up Windows auth double-hop/chaining is not - in my experience - an easy task.
I tried setting up in the past, spent a lot of time (with MS help mind you!) and got nowhere.
As I said, this is based on personal experience. Others may have better feedback on this.
__________________________________________________________________________________
SQL Server 2016 Columnstore Index Enhancements - System Views for Disk-Based Tables[/url]
Persisting SQL Server Index-Usage Statistics with MERGE[/url]
Turbocharge Your Database Maintenance With Service Broker: Part 2[/url]
May 31, 2008 at 7:29 pm
To clarify some things...
Since you are coming in via a SQL Server login, you don't need to set up Kerberos, much less Kerberos delegation. This is required when you come in via a Windows user account and you want to go out through the same Windows user account.
The easiest approach here is SQL Server login through as a SQL Server login. I know credentials allow a SQL Server login to use a Windows login, but I don't believe those can be configured for use with linked servers.
K. Brian Kelley
@kbriankelley
May 31, 2008 at 7:31 pm
GSquared (5/30/2008)
Windows domain authentication can't chain to more than one computer. What you have to do is use "Be made using the login's current security context.", and then set up "NT AUTHORITY\ANONYMOUS LOGON" as a login and user. MSDN has an article on the subject, but I can't remember the link.
This should definitely be avoided. As Kyle indicated, anyone can now effectively come into the SQL Server with whatever permissions you've granted this logon. They don't even have to be an authenticated user on your domain. The security implications of doing this should be obvious.
K. Brian Kelley
@kbriankelley
Viewing 7 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply