snippetMinor
How to perform the dreaded double hop with linked servers?
Viewed 0 times
theserverswithhopdreadedperformdoublehowlinked
Problem
The situation:
I have SERVER1, SERVER2, ACCESSDB on SERVER3.
I have successfully created a linked server connection from SERVER1 to SERVER3's ACCESSDB.
I want to be able to access the linked server on SERVER1 from SERVER2 (aka the double hop).
When I log into SERVER2 I get the good ol - "dont have permissions" issue when I test the connection. I checked SERVER3 logs and it says the incoming connection is ANONYMOUS. I need to be able to pass some (any) credentials to SERVER3 from SERVER2.
NO, I cannot use a SQL account. I have to use Windows Auth.
Yes, I need to use KERBEROS and set up SPNs. That's where my question comes in. How do I properly set up KERBEROS and delegation?
I want to be able to run
from SERVER2 and have it return 'KERBEROS' and not 'NTLM'.
What specific commands do I need to run to properly set up KERBEROS/SPNs? How do I create this "chain"?
FYI - Both instances are NAMED instances on SQL2008 R2 Standard (x64).
I have SERVER1, SERVER2, ACCESSDB on SERVER3.
I have successfully created a linked server connection from SERVER1 to SERVER3's ACCESSDB.
I want to be able to access the linked server on SERVER1 from SERVER2 (aka the double hop).
When I log into SERVER2 I get the good ol - "dont have permissions" issue when I test the connection. I checked SERVER3 logs and it says the incoming connection is ANONYMOUS. I need to be able to pass some (any) credentials to SERVER3 from SERVER2.
NO, I cannot use a SQL account. I have to use Windows Auth.
Yes, I need to use KERBEROS and set up SPNs. That's where my question comes in. How do I properly set up KERBEROS and delegation?
I want to be able to run
select auth_scheme from sys.dm_exec_connections where session_id=@@SPIDfrom SERVER2 and have it return 'KERBEROS' and not 'NTLM'.
What specific commands do I need to run to properly set up KERBEROS/SPNs? How do I create this "chain"?
FYI - Both instances are NAMED instances on SQL2008 R2 Standard (x64).
Solution
Security Account Delegation
And for SQL Server 2000 but still valid too
Basically
And for SQL Server 2000 but still valid too
Basically
- Configure the server in AD
- Set up the SPN
- Use sp_addlinkedsrvlogin so useself = true
Context
StackExchange Database Administrators Q#3300, answer score: 4
Revisions (0)
No revisions yet.