Linked Servers - setspn - domain account

• Previous message: Frank: "SQL Server Connection via VPN"
• Next in thread: Jasper Smith: "Re: Linked Servers - setspn - domain account"
• Reply: Jasper Smith: "Re: Linked Servers - setspn - domain account"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 24 May 2003 04:35:19 -0000

Hi!

            I was successful getting the "double-hop" aka kerberos delegated
security to function. It all works when i run SQL under LocalSystem.
However, it fails when i try to run SQL Server using a Domain Account.

            I've tried setting up the SPN (Service Principal Name) using the
setspn utility, but i don't think i have the syntax correct. It doesn't
help that the BOL syntax is WRONG! It says to use it like:

setspn -A MSSQLSvc/myserver.microsoft.com:1433 MYDOMAIN\sqlsvc

However, this will never work because setspn expects a computername as
the last argument. If i use this:

setspn -A "MSSQLSvc/myserver.microsoft.com:1433 MYDOMAIN\sqlsvc" myserver

the SPN is added to the list of SPNs. But when I try to use this
configuration for delegation, I get that lovely anonymous login failed
message. The workstation does not even get a kerberos ticket when
connecting to the first server in the chain! (I checked using
kerbtray.exe)

I think the problem is with the setspn command line; i've followed the KB
articles and SQL BOL. All the Servers are Trusted for Delegation.
Domain SQL Service account is Trusted for Delegation. Domain User
account is not restricted from delgation. It all works except when i try
to run SQL Server using a Domain Account, so i'm at a loss. Any ideas?

Thanks in advance!

Mike

• Previous message: Frank: "SQL Server Connection via VPN"
• Next in thread: Jasper Smith: "Re: Linked Servers - setspn - domain account"
• Reply: Jasper Smith: "Re: Linked Servers - setspn - domain account"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: What privileges do my SQL services need? ... I am looking at the SQL Server Service and the SQL ... > SQL Server Service can run as just a user but the Agent may need more. ... > SQLServerAgent Service" says that the domain account must be a member ... (microsoft.public.sqlserver.security) Re: SQL Logins using local user accounts on a clustered instance. ... so always select a domain account. ... > lcoal clustered account for SQL. ... When we have a clustered SQL server, ... > are part of the cluster. ... (microsoft.public.sqlserver.clustering) Re: Login failed for user . The user is not associated with a trusted SQL Server connection. ... run under a domain account with access the sqlserver. ... want to connect to an SQL 2005 server running on Windows 2003. ... My SQL server is set ... server with that, it reports that the test connection is successful, ... (microsoft.public.dotnet.framework.aspnet) What privileges do my SQL services need? ... I am looking at the SQL Server Service and the SQL ... SQL Server Service can run as just a user but the Agent may need more. ... SQLServerAgent Service" says that the domain account must be a member ... (microsoft.public.sqlserver.security) Re: KDC event log error ... The sql service is running under a domain user account ... When i use setspn -l domainacct, ... >Jasper Smith (SQL Server MVP) ... (microsoft.public.sqlserver.security)