Linked Servers using Windows Authentication

%3CLINGO-SUB%20id%3D%22lingo-sub-3359190%22%20slang%3D%22en-US%22%3ELinked%20Servers%20using%20Windows%20Authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3359190%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20several%20SQL%20Server%20Systems%20located%20in%20different%20areas.%26nbsp%3B%20My%20job%20involves%20creating%20reports%20that%20can%20come%20from%20any%20of%20our%20servers.%26nbsp%3B%20The%20system%20we%20use%20for%20automating%20these%20reports%20only%20allow%20for%201%20connection%20to%20SQL%20Server%20so%20I've%20created%20Views%20on%20our%20local%20Server%20that%20pulls%20data%20from%20the%20other%20SQL%20Servers%20using%20linked%20Servers.%26nbsp%3B%20However%2C%20I'm%20having%20a%20problem%20with%201%20Server%20the%20connection%20keeps%20failing.%26nbsp%3B%20That%20Server%20uses%20windows%20authentication%20and%20I%20have%20no%20problem%20connecting%20through%20SSMS%20but%20the%20linked%20server%20connection%20Fails%20saying%20the%20Login%20Failed%20for%20user%20NT%20AUTHORITY%5CANONYMOUS%20LOGIN.%26nbsp%3B%20But%20I've%20specified%20to%20use%20my%20windows%20login.%26nbsp%3B%20Anybody%20have%20any%20thoughts%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3361931%22%20slang%3D%22en-US%22%3ERe%3A%20Linked%20Servers%20using%20Windows%20Authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3361931%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1256633%22%20target%3D%22_blank%22%3E%40RayMilhon%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20this%20behaviour%20is%20normal%20and%20commonly%20encountered%20in%20three%20tier%20(or%20more)%20architectures.%20What%20you'd%20be%20looking%20to%20configure%20is%20something%20called%20Kerberos%20Constrained%20Delegation%20(or%20KCD%20for%20short.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKCD%20is%20a%20Windows%20concept%20(a%20bit%20simplified%20there%2C%20but%20let's%20stick%20to%20the%20Microsoft%20context)%2C%20not%20an%20SQL%20concept%2C%20and%20you'll%20find%20it's%20frequently%20mentioned%20in%20the%20IIS%2Fweb%20server%20context.%20That%20said%2C%20because%20it's%20a%20Windows%20concept%2C%20the%20documentation%20on%20how%20to%20configure%20it%20is%20the%20same%20for%20SQL%20Server.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere's%20a%20short%20version%20of%20what's%20different%20between%20your%20SMSS%20test%20scenario%20and%20your%20production%20scenario.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ESMSS%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3ESMSS%20only%20involves%20a%20single%20hop%20for%20authentication%20as%20your%20Kerberos%20ticket%20is%20created%20on%20the%20SQL%20host%20itself.%20Single%20hops%20just%20work%20out%20of%20the%20box%2C%20which%20is%20why%20your%20linked%20server%20definition%20works%20when%20using%20SMSS%2C%20since%20it's%20only%20then%20the%20single%20hop%20from%20the%20SQL%20host%20to%20the%20remote%20SQL%20host%20linked%20via%20the%20linked%20server%20definition.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EProduction%20scenario%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EYour%20production%20scenario%20is%20different%2C%20since%20it%20involves%20two%20hops%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EFrom%20the%20application%20host%20to%20your%20central%20SQL%20Server%3B%3C%2FLI%3E%3CLI%3EFrom%20the%20central%20SQL%20Server%20to%20the%20remote%20SQL%20Server%20server(s)%20at%20the%20other%20end%20of%20the%20linked%20server%20definitions.%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%3CBR%20%2F%3EAnd%20this%20is%20where%20KCD%20comes%20in%2C%20and%20without%20it%20-%20and%20it's%20%22off%22%20by%20default%20-%20your%20Kerberos%20ticket%20created%20on%20the%20application%20host%20only%20makes%20it%20as%20far%20as%20the%20central%20SQL%20Server%20host%20(i.e.%20point%201.)%20Because%20the%20central%20host%20is%20not%20permitted%20to%20pass%20that%20ticket%20to%20the%20remote%20SQL%20host%2C%20you%20run%20into%20the%20%22anonymous%22%20authentication%20issue%20you've%20mentioned.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBy%20enabling%20KCD%20(involves%20configuration%20of%20both%20the%20SQL%20Server%20database%20service%20account%20as%20well%20as%20the%20account%20being%20used%20by%20the%20application%20host%20to%20log%20into%20the%20central%20SQL%20Server)%2C%20you're%20providing%20%22approval%22%20for%20the%20central%20SQL%20Server%20host%20to%20take%20the%20application%20host's%20Kerberos%20ticket%20and%20forward%20it%20along%20to%20the%20remote%20SQL%20Server%20host%2C%20thereby%20completing%20the%20second%20hop%20and%20resolving%20your%20%22anonymous%22%20authentication%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere's%20some%20additional%20reading%20that%20covers%20the%20concepts%20and%20action%20items.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fask-the-directory-services-team%2Funderstanding-kerberos-double-hop%2Fba-p%2F395463%22%20target%3D%22_blank%22%3EUnderstanding%20Kerberos%20Double%20Hop%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fidentity%2Fconfigure-kerberos-constrained-delegation%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EHow%20to%20configure%20Kerberos%20Constrained%20Delegation%20for%20Web%20Enrollment%20proxy%20pages%20-%20Windows%20Server%20%7C%20Microsoft%20Docs%3C%2FA%3E%26nbsp%3B(IIS-based%20but%20relevant%3B%20just%20remember%20to%20use%20the%20MSSQLSvc-based%20servicePrincpalName%20values)%3B%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Fdatabase-engine%2Fconfigure-windows%2Fregister-a-service-principal-name-for-kerberos-connections%3Fview%3Dsql-server-ver15%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ERegister%20a%20Service%20Principal%20Name%20for%20Kerberos%20Connections%20-%20SQL%20Server%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20short%20though%2C%20you%20want%20to%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EEnable%20KCD%20on%20the%20service%20account%20for%20the%20SQL%20Server%20database%20service%20on%20the%20central%20SQL%20Server%20(not%20the%20remote%20hosts%20from%20the%20other%20end%20of%20the%20linked%20server%20definitions%20-%20nothing%20should%20be%20done%20for%20these).%20Make%20sure%20you%20enable%20protocol%20transitioning%20by%20selecting%20the%20%22Use%20nay%20authentication%20method%22%20option%20(as%20shown%20in%20the%20IIS%20article%20from%20above%20in%20%22scenario%201%2C%20step%202%22)%3B%3C%2FLI%3E%3CLI%3EConfigure%20the%20account%20used%20by%20the%20application%20host%20to%20be%20allowed%20to%20delegate%20to%20the%20various%20%22MSSQLSvc%2F%22%20servicePrincipalName%20values%20(as%20seen%20in%20the%20IIS%20article%2C%20scenario%202%2C%20section%201%3A%20configure%20the%20delegation%22.)%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBe%20aware%20that%20if%20the%20central%20SQL%20Server%20and%2For%20the%20application%20host%20are%20using%20a%20credential%20such%20as%20%22Network%20Service%22%2C%20%22LocalSystem%22%2C%20%22SYSTEM%22%2C%20etc.%20then%20these%20built-in%20references%20resolve%20back%20to%20the%20actual%20computer%20account%20within%20Active%20Directory.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%2C%20if%20my%20central%20SQL%20Server%20is%20named%20SQL01%20and%20my%20application%20host%20is%20named%20APP01%2C%20and%20they%20both%20operate%20under%20the%20%22Network%20Service%22%20security%20principal%2C%20then%20for%20step%201%20above%2C%20I'm%20editing%20the%20computer%20account%20for%20SQL01%20in%20Active%20Directory%2C%20and%20for%20step%202%2C%20I'm%20editing%20the%20APP01%20computer%20account%20from%20Active%20Directory.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3C%2FP%3E%3CP%3ELain%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

We have several SQL Server Systems located in different areas.  My job involves creating reports that can come from any of our servers.  The system we use for automating these reports only allow for 1 connection to SQL Server so I've created Views on our local Server that pulls data from the other SQL Servers using linked Servers.  However, I'm having a problem with 1 Server the connection keeps failing.  That Server uses windows authentication and I have no problem connecting through SSMS but the linked server connection Fails saying the Login Failed for user NT AUTHORITY\ANONYMOUS LOGIN.  But I've specified to use my windows login.  Anybody have any thoughts?

1 Reply

@RayMilhon 

 

Yes, this behaviour is normal and commonly encountered in three tier (or more) architectures. What you'd be looking to configure is something called Kerberos Constrained Delegation (or KCD for short.)

 

KCD is a Windows concept (a bit simplified there, but let's stick to the Microsoft context), not an SQL concept, and you'll find it's frequently mentioned in the IIS/web server context. That said, because it's a Windows concept, the documentation on how to configure it is the same for SQL Server.

 

Here's a short version of what's different between your SMSS test scenario and your production scenario.

 

SMSS

SMSS only involves a single hop for authentication as your Kerberos ticket is created on the SQL host itself. Single hops just work out of the box, which is why your linked server definition works when using SMSS, since it's only then the single hop from the SQL host to the remote SQL host linked via the linked server definition.

 

Production scenario

Your production scenario is different, since it involves two hops:

 

  1. From the application host to your central SQL Server;
  2. From the central SQL Server to the remote SQL Server server(s) at the other end of the linked server definitions.


And this is where KCD comes in, and without it - and it's "off" by default - your Kerberos ticket created on the application host only makes it as far as the central SQL Server host (i.e. point 1.) Because the central host is not permitted to pass that ticket to the remote SQL host, you run into the "anonymous" authentication issue you've mentioned.

 

By enabling KCD (involves configuration of both the SQL Server database service account as well as the account being used by the application host to log into the central SQL Server), you're providing "approval" for the central SQL Server host to take the application host's Kerberos ticket and forward it along to the remote SQL Server host, thereby completing the second hop and resolving your "anonymous" authentication issue.

 

Here's some additional reading that covers the concepts and action items.

 

 

In short though, you want to:

 

  1. Enable KCD on the service account for the SQL Server database service on the central SQL Server (not the remote hosts from the other end of the linked server definitions - nothing should be done for these). Make sure you enable protocol transitioning by selecting the "Use nay authentication method" option (as shown in the IIS article from above in "scenario 1, step 2");
  2. Configure the account used by the application host to be allowed to delegate to the various "MSSQLSvc/" servicePrincipalName values (as seen in the IIS article, scenario 2, section 1: configure the delegation".)

 

Be aware that if the central SQL Server and/or the application host are using a credential such as "Network Service", "LocalSystem", "SYSTEM", etc. then these built-in references resolve back to the actual computer account within Active Directory.

 

For example, if my central SQL Server is named SQL01 and my application host is named APP01, and they both operate under the "Network Service" security principal, then for step 1 above, I'm editing the computer account for SQL01 in Active Directory, and for step 2, I'm editing the APP01 computer account from Active Directory.

 

Cheers,

Lain