Linked Servers - setspn - domain account

• Previous message: Frank: "SQL Server Connection via VPN"
• Next in thread: Jasper Smith: "Re: Linked Servers - setspn - domain account"
• Reply: Jasper Smith: "Re: Linked Servers - setspn - domain account"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 24 May 2003 04:35:19 -0000

Hi!

            I was successful getting the "double-hop" aka kerberos delegated
security to function. It all works when i run SQL under LocalSystem.
However, it fails when i try to run SQL Server using a Domain Account.

            I've tried setting up the SPN (Service Principal Name) using the
setspn utility, but i don't think i have the syntax correct. It doesn't
help that the BOL syntax is WRONG! It says to use it like:

setspn -A MSSQLSvc/myserver.microsoft.com:1433 MYDOMAIN\sqlsvc

However, this will never work because setspn expects a computername as
the last argument. If i use this:

setspn -A "MSSQLSvc/myserver.microsoft.com:1433 MYDOMAIN\sqlsvc" myserver

the SPN is added to the list of SPNs. But when I try to use this
configuration for delegation, I get that lovely anonymous login failed
message. The workstation does not even get a kerberos ticket when
connecting to the first server in the chain! (I checked using
kerbtray.exe)

I think the problem is with the setspn command line; i've followed the KB
articles and SQL BOL. All the Servers are Trusted for Delegation.
Domain SQL Service account is Trusted for Delegation. Domain User
account is not restricted from delgation. It all works except when i try
to run SQL Server using a Domain Account, so i'm at a loss. Any ideas?

Thanks in advance!

Mike

• Previous message: Frank: "SQL Server Connection via VPN"
• Next in thread: Jasper Smith: "Re: Linked Servers - setspn - domain account"
• Reply: Jasper Smith: "Re: Linked Servers - setspn - domain account"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]