Re: Has anyone got delegation to work???

From: Kevin Brooks (jeepnreb_at_yahoo.com)
Date: 08/18/03 

Date: Mon, 18 Aug 2003 14:11:53 -0500

Yeah I am trying to set up and it is a PITA. I am still getting --

Server: Msg 18456, Level 14, State 1, Line 1
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

Here is what I have done so far on test servers --
1. Both servers are running only TCP/IP
2. My account has "Account is sensitive and cannot be delegated" cleared
3. Both servers have "Computer is trsuted for delegation" checked
4. SQL startup account has "Account is trusted for delegation" checked(same
account on both servers)
5. DomainAdmin ran following --
        setspn -A MSSQLSvc/backup1.<domain>.com
<domain_here>/<account_here>
        setspn -A MSSQLSvc/backup2.<domain>.com
<domain_here>/<account_here>

        --not sure if these are right. Should thet be MSSQLService or
<domain_here>/<account_here> format
        setspn -A MSSQLSvc/backup1.<domain>.com:1433 MSSQLService
        setspn -A MSSQLSvc/backup2.<domain>.com:1433 MSSQLService

6. --on first server
    exec master..sp_addlinkedserver
           @server = 'backup2'
         , @srvproduct = 'SQL Server'

    exec master..sp_addlinkedsrvlogin
           @rmtsrvname = 'backup2'
         , @useself = 'true'

--on second server
    exec master..sp_addlinkedserver
           @server = 'backup1'
         , @srvproduct = 'SQL Server'

    exec master..sp_addlinkedsrvlogin
           @rmtsrvname = 'backup1'
         , @useself = 'true'

Thanks.

"Jasper Smith" <jasper_smith9@hotmail.com> wrote in message
news:#ECMnoaZDHA.2632@TK2MSFTNGP12.phx.gbl...
> Yes, we use it as the standard for linked servers. It can be a PITA to set
> up, seems harder than it needs to be :-)
> It is very reliant on your domain and name resoloution being setup
> correctly. What problems are you encountering ?
>
> --
> HTH
>
> Jasper Smith (SQL Server MVP)
>
> I support PASS - the definitive, global
> community for SQL Server professionals -
> http://www.sqlpass.org
>
> "Kevin Brooks" <kbrooks@sagetelecom.net> wrote in message
> news:etSnBC2YDHA.2284@TK2MSFTNGP10.phx.gbl...
> I have been tinkering the past couple of days, with little success. I was
> wondering if it does work for anybody else in a production environment,
not
> a test. Thanks.
>
> Kevin
>
>
>

Relevant Pages

  • Re: Howto refresh IIS 6 Application pool identity credential info
    ... The Application Servers are load balanced clustered, ... HostHeader names in IIS, it has a CNAME in DNS referencing ... Only account A has access to database DB-A ...
    (microsoft.public.inetserver.iis.security)
  • Re: Forest to Child -- Permissions
    ... My account can login to all the DCs and has full administrator priv. ... first DC in the root. ... the member servers only ... never happen unless some admin has been mucking about. ...
    (microsoft.public.windows.server.dns)
  • Re: Forest to Child -- Permissions
    ... My account can login to all the DCs and has full administrator priv. ... first DC in the root. ... the member servers only ... never happen unless some admin has been mucking about. ...
    (microsoft.public.windows.server.dns)
  • Re: Running SQLServer and SQLServer Agent as Power User
    ... The account that starts the services needs to have the "log on as a service" ... Without this MSSQLServer and MS SQL Server Agent will not start. ... Also why would you want end users to have admin rights on the server at all? ... > on our Win2K servers, ...
    (microsoft.public.sqlserver.security)
  • Re: SMS Heirachy
    ... I have also tried rebooting both servers after adding the compter accounts ... > try and setup a standard address when i select the drop down box i dont ... > account is a member of the sms_sitetosite group on SiteB? ... >> A. The address will use the sender, but having a sender is not enough. ...
    (microsoft.public.sms.setup)
Quantcast