Sql-server – Service running as local system on server A connecting to SQL server on server B. How

local-systemsql serverwindows-server-2008

I have a service running on one server (A) which traditionally runs under the local system account. Now SQL server has moved from server A to a new server B.

I tried adding the computer account of server a [domain\servera$] to SQL server on server B and gave it all the rights it could possibly want (sa) but the service still cannot connect.

The error I find in the service log for that moment is the following

enbase 
ODBC database error:
Connect()
szSqlState = 28000
pfNativeError = 18456
szErrorMsg = [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
pcbErrorMsg = 100
LoginId = !!UnknownUser!!
ODBCRowNumber = 0
SSrvrLine = 0
SSrvrColumn = 0
SSrvrMsgState = 0
SSrvrSeverity = 0
SSrvrProcname = 
SSrvrSrvname =

I don't know why the service thinks that it is logging on as ANONYMOUS LOGON.

Any ideas?

Update: I wrote a test service running under localsystem that causes this message in SQL profiler:

"Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors."

Update: I think now that this is a Kerberos issue. Kerberos doesn't work because the domain account SQL is running under cannot register its Service Principal Names (setspn -L shows as much) and hence Kerberos cannot be used and NTLM is used and NTLM doesn't work for domain\computer$ for some reason.

Finally, ERRORLOG shows that SQL server logs an error about not being able to register the SPN for the SQL Server service. This confirms my theory, I think.

Update: I think the solution is to grant the domain account SQL Server is running under is trusted for delegation in AD so that it can register its SPN when SQL Server starts.

Best Answer

You're not using the machine account to connect...

LoginId = !!UnknownUser!!

You're not providing the right credentials.

You do know that what is known externally as DOMAIN\MACHINE$ is internally the NT Authority\Network Service account, I hope :)

Related Solutions

Sql-server – SQL Server to SQL Server linked server setup

From My understanding of this issue it's a "HOP" issue.

i.e. you are trying to use server A to relay your login details (with SSPI) to Server B.

In SQL Server 2005 they have added a whole load of security issues that make this harder than it should be. The words "Kerberos Authentication" will become the bain of most sys-admins/DBA's lives. It effectively is used for pass-through authentication.

Here are the basics of what you need. 1) The servers (A and B) need to be set-up in Active Directory(AD) with delegation for Kerberos enabled. (this is set through your active directory admin panel)

2) The service account that your SQL Servers run under need to have delegation enabled also (this is also set through your active directory admin panel). - if they are not running under a service account, you need to create one.

3) The Servers need to have SPN's defined for the instance and the HOST and the machine name. (Using a tool called SetSPN in the windows support tools)

Support Tools (SetSPN is in this set) http://www.microsoft.com/downloads/details.aspx?FamilyID=96a35011-fd83-419d-939b-9a772ea2df90&DisplayLang=en

(Overview of how to add an SPN) http://technet.microsoft.com/en-us/library/bb735885.aspx

4) You may need to set your DB to "trustworthy"

ALTER DATABASE SET trustworthy on

5) After you have all of this done restart your instances.

6) Then try create your linked server again.

Finally you can test your connection to SQL Server. This should work fine if you have it all configured correctly.

SELECT *
FROM OPENDATASOURCE('SQLNCLI',
    'Data Source=ServerB;Integrated Security=SSPI;'
    ).MASTER.dbo.syscolumns

This will tell you your connection authentication type.

select auth_scheme from sys.dm_exec_connections where session_id=@@SPID

You want to get 'KERBEROS' here and not 'NTLM'.

It's a slippy slope, KERBEROS and Pass-through delegation, stick with it and you will eventually figure it out.

References Kerberos http://blogs.msdn.com/sql_protocols/archive/2005/10/12/479871.aspx

http://blogs.msdn.com/sql_protocols/archive/2006/12/02/understanding-kerberos-and-ntlm-authentication-in-sql-server-connections.aspx

http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/the-biggest-mistake-serviceprincipalname-s.aspx

Other manifestations of the problem http://www.sqlservercentral.com/Forums/Topic460425-359-1.aspx

http://msdn2.microsoft.com/en-us/library/aa905162(sql.80).aspx

http://msdn2.microsoft.com/en-us/library/ms189580.aspx

I hope this all helps.

Sql-server – Can we have Linked Servers when using NTLM

This is indeed a case of constrained delegation (ie .'double hop'). There is no setting you can change which would make this work. If one would exist, it would be by definition a bug, as it would break the domain policy on constraining delegation only to trusted accounts. So unless you make the AD change to mark the SQL Server 'in the middle' as trusted for delegation, you won't succeed doing a double hop. And any other work around I would give you would put me in a position to help you violate your domain policies. Since it seems you understand the technical problem, I'd recommend you knock at the right doors: the masters of your domain and/or the stakeholders of your requirements.

Best Answer

Related Solutions

Sql-server – SQL Server to SQL Server linked server setup

Sql-server – Can we have Linked Servers when using NTLM

Related Topic