Re: Kerberos w/ SQL and WIN2000
From: Jasper Smith (jasper_smith9@hotmail.com)
Date: 04/17/03
- Next message: mike singer: "Re: SSL Encryption without IIS"
- Previous message: Torrey: "Re: Kerberos w/ SQL and WIN2000"
- In reply to: --Charles Johnson: "Kerberos w/ SQL and WIN2000"
- Next in thread: --Charles Johnson: "Re: Kerberos w/ SQL and WIN2000"
- Reply: --Charles Johnson: "Re: Kerberos w/ SQL and WIN2000"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Jasper Smith" <jasper_smith9@hotmail.com> Date: Wed, 16 Apr 2003 23:09:19 +0100
Have a look at
http://support.microsoft.com/default.aspx?scid=kb;en-us;811889
I've recently been doing some work with Kerberos and SQL for
use in Linked server security delegation and had some problems
but found that when I went back to a clean config and started
from scratch with the SPN's everything worked as advertised.
I found the following KB useful in troubleshooting Kerberos issues
in that the logging allowed me to see that the client couldn't resolve
the SPN for the SQL Server which made me go back and edit the
SPN so that it was in the correct format.
http://support.microsoft.com/default.aspx?scid=kb;en-us;262177
This was in a native mode win2000 AD domain but I don't think
that is a requirement. Kerberos is the default for win2000 and
unless you are trying to use delegation I don't think you have to set
anything up for it to use it. Can you confirm that the server is trusted
for delegation and also the SQL Service account and the command
you used to set the SPN for the service account. If you switch on
security auditing for logon in windows if it's not already configured
you'll be able to see if clients are using Kerberos to connect (that was
the problem I had, Kerberos was failing silently and authentication
dropped down to NTLM but since the connection still worked I didn't
pick it up until I enable auditing on the client and saw the Kerberos
errors)
-- HTH Jasper Smith (SQL Server MVP) I support PASS - the definitive, global community for SQL Server professionals - http://www.sqlpass.org "--Charles Johnson" <cjohnson@parmedpharn.com> wrote in message news:uaSS3kFBDHA.2572@TK2MSFTNGP11.phx.gbl... > Greetings!! > > One of the great selling points Microsoft used in convincing me to move to > Windows 2000 was that the OS uses a more secure authentication mechanism > known as Kerberos. Did I hear that wrong? > > It appears that in order to use Kerberos, the account running the SQL > services must be Local system or Domain Admin. Failing that, you need to > use the SETSPN utility from the resource kit. > > Trouble is this: When I added the Service Provider Name using the utility, > all clients (all 2kPro sp2) could no longer connect, and all received > "Cannot generate SSPI context" error messages. > > NETDIAG shows that everything short of SPN tests are running fine, DNS and > Domain included. Google shows many many issues with this error, most > unresolved. > > I'm not looking for a definitive solution, but I would like to hear from > others with similar environments. Are you running Kerberos authentication or > NTLM? Did you have to setup the SPN using SETSPN or are you running SQL > under LA or DA privileges? Do I need to switch my 2k domain for Native to > get this working? > > I appreciate your input! > > Thank you > > --Charles > >
- Next message: mike singer: "Re: SSL Encryption without IIS"
- Previous message: Torrey: "Re: Kerberos w/ SQL and WIN2000"
- In reply to: --Charles Johnson: "Kerberos w/ SQL and WIN2000"
- Next in thread: --Charles Johnson: "Re: Kerberos w/ SQL and WIN2000"
- Reply: --Charles Johnson: "Re: Kerberos w/ SQL and WIN2000"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
