SQL Server - Kerberos Configuration Manager - Unable to connect
Hello all - I am currently working through replacing a development and production SQL server, moving from server 2012 to server 2022. These two servers have the SQL Service running as an AD account. Thus, I have gone through and configured the proper SPNs in Active Directory and configured Kerberos Constrained Delegation. Adding the SPN for the FQDN and hostname, with and without port (1433), on the AD account the SQL Service is running under. Going to the delegation tab for that user account and adding the MSSQLSVC<hostname> and MSSQL<FQDN> with and without port. Going to the AD Computer object of each of the two servers, to the delegation tab and adding the server that I am looking for these two servers to access via a cifs share. When I login to SSMS from my PC to connect to these servers and run the query: use master GO SELECT COUNT(auth_scheme) as sessions_count, net_transport, auth_scheme FROM sys.dm_exec_connections GROUP BY net_transport, auth_scheme I can see that the my TCP connection has an auth_scheme as KERBEROS. However, when I try to launch the Kerberos Configuration Manager and try to connect to the local host (leaving the server name, use name, and password blank - while on the server as an admin) - I get the following: "Unable to connect to server, please ensure that the server name is correct, SQL Server is installed properly, and the user has administrator permissions. If the problem persists, please contact Microsoft Support." I am an administrator on the server, ran the application as administrator. I'm not really sure where to look from here. Any help or tips would be appreciated. Thanks Steve
Putty and Kerberos constrained delegation
Hi all, I'm struggling with Kerberos credential delegation... My environment is : - Windows Server 2012 - a Win10 workstation that is joined to the configured AD domain - a Fedora37 Linux server that is joined to the configured AD domain using SSSD - 'putty' version 0.78 64bit as a SSH client/terminal emulator running on Win10 I configured : - in 'putty' , I enabled 'Connection > SSH > Auth > GSSAPI > Allow GSSAPI credential delegation - in 'putty', I specified an AD accountname to login with in 'Connection > Data > Auto-login username' - SSO to the Fedora37 server : opening a connection using 'putty' logs me in without a password What I want : - logging on to Win10 with my AD useraccount gives me a kerberos ticket - after login to the Fedora37 server I want 'klist' show those credentials I got this to work using 'Unconstrained Delegation'.. Configuring SSSD for Windows SSO created an AD machine account for the linux server. Using the Active Directory tooling on the Windows Server, I can click the machine account's 'Delegation' tab and click 'Trust this computer for delegation to any server (Kerberos only)'. This effectively sets the 'TRUSTED_FOR_DELEGATION' flag in the UserAccountControl attribute for the Linux machine account. With this setting, I can use Putty to SSO into the Linux server using my AD useraccount, and 'klist' shows a forwardable ticket in the Kerberos ticket cache ! Cool ! Unfortunately, this is considered unsecure, since once illegally obtained, these credentials can be used to authenticate to any Kerberos protected endpoint. The advice is to use 'Contrained Delegation'. So I tried that by changing the 'Delegation' to 'Trust this computer for delegation to specified services only'. With that, you have to choose at least one service, so I added the 'host' service for the Linux machine account. This removes the 'TRUSTED_FOR_DELEGATION' flag from the UserAccountControl attribute on the Linux machine account, and adds the 'msDS-AllowedToDelegateTo' attribute. Problem now is that this will not give me a ticket in the Linux ticket cache after logging on to the Linux server using Putty. ( I clear the ticket cache first.. ) Any help would be appreciated ! Thanks