Re: Using NT Authentication with Linked Server
From: Bala Neerumalla[MSFT] (balnee_at_online.microsoft.com)
Date: 03/01/04
- Next message: Stephen Dybing [MSFT]: "Re: forgotten password"
- Previous message: Trey treys_at_electrasales.net: "illegal operations"
- In reply to: Linda: "Using NT Authentication with Linked Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 1 Mar 2004 10:31:07 -0800
You are running into a double hop (or delegation) scenario. Here are the
general steps that I posted for some body else, these will apply to your
scenario also
Please check the following configuration steps
1. User trying to connect to SQL Server is not sensitive and can be
delegated (By default all users are not sensitive, so you do not need to set
anything).
2. MDAC version on the client machine should be 2.6 or more.
3. You should setup SPNs for both the SQL Servers(Check SQL documenation on
how to register SPNs for your SQL Service account).
4. Use sp_addlinkedsrvlogin on the first linked server (server B in your
scenario) to impersonate the
clients.
5. Check whether the Service account of the first SQL Server is trusted for
delegation to the Linked Server service. Since your domain is rised to 2003
level, you can use Constrained delegation. If you have the SPN setup for the
account, then you will see a delegation tab in the user account properties
in AD. To start with, set "Trusted for delegation" to all servers and then
tighten it using constrained delegation.
If you configure above steps, you should be fine. If you still face problems
then, check whether Kerberos protocol is woking on both the hops
independently. If you can use Kerberos protocol, then the problem is with
delegation. Then check whether first SQL Server is configured to impersonate
the clients and then check the delegation attributes in AD.
Thanks,
Bala Neerumalla.
-- This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Linda" <anonymous@discussions.microsoft.com> wrote in message news:4a3001c3ff9f$a2c5c9a0$a401280a@phx.gbl... > I'm trying to link to a SQL Server 2000 server (A) that > has Windows only authentication from another SQL Server > 2000 (B). I am a System Administrator on both boxes and > we use Active Directory. > When I try to link to A from B, I get an error: > Login failed for user '\null'. Reason: Not associated > with a trusted SQL Server connection. > Server A: Windows 5.2 (from SQL Scan) SQL 2000 SP3 > Server B: Windows 5.2 (from SQL Scan) SQL 2000 SP3 > > Using one Domain account for the connection will not suit > our needs as we have numerous db's/servers and numerous > permissions structures and we want the user to only be > able to do via a linked server what their account has > permissions to do, not what the account used to link the > servers is allowed. > Our users frequently connect via QA and have learned that > if they don't have permissions, go to another server, use > the linked server and voila, they can do what they are not > permitted to do via their own permssions (because the > connecting account has more permissions). > Thanks for your help, > Linda >
- Next message: Stephen Dybing [MSFT]: "Re: forgotten password"
- Previous message: Trey treys_at_electrasales.net: "illegal operations"
- In reply to: Linda: "Using NT Authentication with Linked Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
