We have 2 SQL Server 2008 R2 machines.
A user is running a query on Server A that joins a table in Server B. In the query he is using linked server to point Server B.
User has access to Server B Database in question. He is a db_owner there. but when he runs the query it fails.
Msg 18456, Level 14, State 1, Line 1
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
The linked server's security is set to "Be made using the login's current security context". Since the user has db_owner access to Server B database, I would expect this query work from Server A. It doesn't.
How can give this user access to run this query on Server A.
Thanks for your help.
-
Have you setup kerberos authentication? dba.stackexchange.com/questions/30121/…Hannah Vernon– Hannah Vernon ♦2014年09月10日 20:31:41 +00:00Commented Sep 10, 2014 at 20:31
-
Obviously he is not connecting as him - otherwise the login wouldn't be attempted as NT AUTHORITY\ANONYMOUS LOGIN. I mean, unless he knows the password for that account, and that's who he's logging in as - I suspect his credentials are not being followed through...Aaron Bertrand– Aaron Bertrand2014年09月10日 20:44:53 +00:00Commented Sep 10, 2014 at 20:44
-
Not being followed through because Kerberos authentication is not setup? I seem to recall you must have Kerberos setup for double-hop authentication to work ? Am I wrong?Hannah Vernon– Hannah Vernon ♦2014年09月11日 02:19:09 +00:00Commented Sep 11, 2014 at 2:19
-
TechNet thinks you need SPNs etc for delegation to work between linked servers; technet.microsoft.com/en-us/library/ms189580(v=SQL.105).aspx @Aaron - since I'm certain I'm preaching to the choir here, I can only assume I must be missing something about this. I had linked servers display the Anonymous Login message prior to having Kerberos correctly configured in SQL Server 2005 and 2012.Hannah Vernon– Hannah Vernon ♦2014年09月11日 02:44:48 +00:00Commented Sep 11, 2014 at 2:44
-
1Was reading this. Named Pipes might also solve the problem you are facing. Other than this you must not have the setting "Account is sensitive and cannot be delegated" checked.JoseTeixeira– JoseTeixeira2014年09月11日 09:22:58 +00:00Commented Sep 11, 2014 at 9:22
1 Answer 1
A number of comments asked if Kerberos was configured correctly, but I do not see a direct response to that issue. Based on the comments that you make I suspect Kerberos is not set up correctly.
Greatly simplified description:
If
UserAccountis directly logged ontoServer Athen a linked server toServer Bis one hop away and theUserAccount's authentication will be recognized onServer B. This works with or without Kerberos delegation.Is
UserAccountis directly logged onto his desktop and accessesServer AthenServer Ais one hop away from the desktop and theUserAccount's authentication will be recognized onServer A. However, if from the desktop he runs a query againstServer Athat uses a linked server to accessServer Bthat is two hops away from his desktop. Without Kerberos (or some similar service) theUserAccount's delegation cannot make the second hop and, despite the rights granted onServer B, will not authenticate onServer B.
This is all about how NTLM and Kerberos work. There is a blog from a few years ago that offers some details on Linked Servers and NTLM or Kerberos authentication:
One edited quote is: "In a single-hop setting, windows NTLM authentication, which is available if all machines are windows, is sufficient for delegation; while in a double-hop setting, Kerberos authentication is necessary for the user’s credential to cross machine boundaries from the client to the linked server."
Now, suppose that you do indeed have Kerberos configured properly and still are mystified by the behavior. In that case you might need to check into whether there is a duplicate SPN. If so that will need to be corrected.
The following blog discusses duplicate SPNs and other Kerberos issues: http://blogs.technet.com/b/askds/archive/2013/07/01/interesting-findings-on-setspn-x-f.aspx
Note: Some people just fall back to using Named Pipes instead of TCP/IP, but this is not a recommended solution any more.
Bottom line: Resolve the authentication delegation problem and everything should work.