Linked Server: using Kerberos Through a Firewall Over a WAN

  • Help! I've reached the limits of my knowledge as a humble DBA. Here's the problem -

    PC #1 in London

    SQL Server #1 in Berlin

    SQL Server #2 in Berlin

    SQL Server #3 in London

    There's a linked server called [Svr1-Svr2] between SQL Server #1 and SQL Server #2.

    There's a linked server called [Svr2-Svr3] between SQL Server #2 and SQL Server #3

    SPNs have been set for all 3 SQL Servers and I have confirmed the authentication method is Kerberos by running [font="Courier New"]select auth_scheme from sys.dm_exec_connections where session_id=@@spid[/font]

    John Doe logs into PC #1 and can use the linked server [Svr1-Svr2] to get data. He cannot use linked server [Svr2-Svr3] and gets Err 18456 i.e. the double-hop err.

    there is a firewall between London and Berlin. What must I ask my firewall admin to do to allow kerberos to pass through it?

  • nzrdb6 (12/2/2010)


    Help! I've reached the limits of my knowledge as a humble DBA. Here's the problem -

    there is a firewall between London and Berlin. What must I ask my firewall admin to do to allow kerberos to pass through it?

    We have escaped the realm of the DBA and entered the realm of the Networking group. I suggest you send this up the pipe to them for correction.


    - Craig Farrell

    Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.

    For better assistance in answering your questions[/url] | Forum Netiquette
    For index/tuning help, follow these directions.[/url] |Tally Tables[/url]

    Twitter: @AnyWayDBA

  • nzrdb6

    Has the service profile of srv2 been allowed to delegate the spn's of srv3?

    When you checked sys.dm_exec_connections for auth scheme, did you do this from PC1->srv3 and also from srv2->srv3? The reason I ask is I don't recall linked servers/delegation having any additional port requirements.


    -Ken

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply