May 19, 2009 at 1:08 pm
I had seen almost the same issue here when a .NET Site was trying to use Integrated security to talk to the Db and it was failing with the same error. Login failed for user Null. Not part of....
The issue was that there was no application pool set up. It had the default application pool and the app was trying to use it. This caused the error. An application pool was created and then the web app started working.
-Roy
July 9, 2010 at 10:29 am
I've actually been working on the "Double-Hop" problem for over a year now, even with help from someone else who had solved it. And I finally came down to a very simple checklist to resolve the issue. It does require someone who has domain admin authority though to grant the permissions and it is for SQL 2005 and up only. Its more complicated for SQL 2000 and I havn't worked it out yet.
Give ServerA and ServerB
1) Have 2 service accounts created. Say SVCServerA and SVCServerB
2) Have them granted read & write servicePrincipalName
3) Assign the service accounts as the startup accounts for the SQL Servers. SVCServerA for ServerA and SVCServerB for ServerB.
4) Restart the SQL Services. This causes an SPN to be created (Service Principal Name).
5) Once this is done there is no a "Delegation" tab in AD. Have both of your services granted "Trust this user for delegation to any service (Kerberos only)".
Now if your security people balk at the "any service" part like mine did they can grant the trust just to the other service account.
IE For SVCServerA grant "Trust this user for delegation to specified services only"/"Use Kerberos only"/SVCServerB and vise versa.
At this point you should be able to hop between ServerA and ServerB freely.
And now for my question
Having granted a trust from SVCServerA to SVCServerB it is resolved to ServerB:Port. When my port number changes (After a reboot say) the trust is still specific to the other port and my double hop stops working. Does anyone know a way around this other than fixing the ports on my SQL Server?
Kenneth FisherI was once offered a wizards hat but it got in the way of my dunce cap.--------------------------------------------------------------------------------For better, quicker answers on T-SQL questions, click on the following... http://www.sqlservercentral.com/articles/Best+Practices/61537/[/url]For better answers on performance questions, click on the following... http://www.sqlservercentral.com/articles/SQLServerCentral/66909/[/url]Link to my Blog Post --> www.SQLStudies.com[/url]
July 9, 2010 at 10:34 am
Nice notes. We'd love this as a one page article, describing the problem, how you solved it, how it works, if you're interested.
In terms of the question, I'm not sure there is a way. From what I know of most of these MS services, they are either a range or ports or a specific port. No dynamic way to handle this stuff other than fix a port.
July 9, 2010 at 12:05 pm
I'll try to get it written up as an article next week. In the mean time maybe you can answer another quick question. If I am going to set my servers as fixed ports do you know what range of ports is safe? I've already had a case where we set it to a fixed port in the 2700 range and after a reboot that port was no longer available.
Kenneth FisherI was once offered a wizards hat but it got in the way of my dunce cap.--------------------------------------------------------------------------------For better, quicker answers on T-SQL questions, click on the following... http://www.sqlservercentral.com/articles/Best+Practices/61537/[/url]For better answers on performance questions, click on the following... http://www.sqlservercentral.com/articles/SQLServerCentral/66909/[/url]Link to my Blog Post --> www.SQLStudies.com[/url]
July 9, 2010 at 12:09 pm
January 6, 2012 at 1:05 pm
OMG! Thank you so much for that reply. I've spent the past week trying to set that linked server up.
Logging on to the server directly was exactly what I needed.
Viewing 6 posts - 31 through 35 (of 35 total)
You must be logged in to reply to this topic. Login to reply