RE: Windows Authentication in a NT domain vs in an Active Director
From: Peter (Peter_at_discussions.microsoft.com)
Date: 02/25/05
- Next message: Riki: "All users can start and stop SQL Server?"
- Previous message: Peter: "Re: Logins created by default"
- In reply to: Kevin McDonnell [MSFT]: "RE: Windows Authentication in a NT domain vs in an Active Director"
- Next in thread: Kevin McDonnell [MSFT]: "RE: Windows Authentication in a NT domain vs in an Active Director"
- Reply: Kevin McDonnell [MSFT]: "RE: Windows Authentication in a NT domain vs in an Active Director"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 24 Feb 2005 19:47:02 -0800
Hi Kevin,
1. Does SPN exist for a Windows 2000 server or Windows XP machine in a
Windows NT domain? How about in a Windows 2000 domain without Active
Directory?
2. How to use the setspn.exe to create and list SPN for an instance of SQL
Server (e.g the server instance is PETER\TEST1, domain name is W2KDOMAIN, SQL
Server service is using W2KDOMAIN\PETER to start the service)?
3. Same as #2 except SQL Server service is using local system account to
start the service.
Thanks.
"Kevin McDonnell [MSFT]" wrote:
> Yes. This is true. Clients capable of Kerberos will attempt to connect via
> Kerberos to SQL Server if you're using Windows Authentication.
> If the Kerberos attempt fails, the client will use NTLM. We don't log
> anything in SQL to tell you that the connection was made via Kerberos or
> NTLM.
>
> Yes. Security Delegation is an option to allow credentials to be passed
> from one machine to another. This was not possible in an NT 4 domain. The
> typical scenario where this is used is a Web Server application that
> connects to SQL via Trusted Authentication. The web client is able to
> authenticate to IIS via Kerberos, and then make a Kerberos connection to
> SQL using the client credentials. The SQL Server has to have the SPN set
> by a Domain Admin in order for this to work correctly.
>
>
> Thanks,
>
> Kevin McDonnell
> Microsoft Corporation
>
> This posting is provided AS IS with no warranties, and confers no rights.
>
>
>
>
- Next message: Riki: "All users can start and stop SQL Server?"
- Previous message: Peter: "Re: Logins created by default"
- In reply to: Kevin McDonnell [MSFT]: "RE: Windows Authentication in a NT domain vs in an Active Director"
- Next in thread: Kevin McDonnell [MSFT]: "RE: Windows Authentication in a NT domain vs in an Active Director"
- Reply: Kevin McDonnell [MSFT]: "RE: Windows Authentication in a NT domain vs in an Active Director"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
