Post reply

SSRS 2008 R2 - Kerberos - Stuck on Double Hop Issue - Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'

  • October 22, 2012 at 7:21 am

    #268786

    Could use a little help here. We have the following environment:

    SQL Server 2008R2 running in a clustered environment on two nodes.

    Virtual SQL server = VurtSQLSrv running Reporting Server and Production databases on named instance (MyInstance)

    From SQL Server Logs:

    Server is listening on [ XXX.XXX.XXX.XX <ipv4> 49845].

    SSRS Server = MySSRSServer running SSRS only.

    Users connect and run 3rd party application and call SSRS reports via Terminal Servers.

    For one datasource where we're using Windows Authentication, We are getting the following error:

    Message

    Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: XXX.XXX.XXX.XX]

    When we use a SQL Login for the same data source, it connects without error.

    Domain account for running services: MyDomain\Run_SQLSrv

    SPN Settings for MyDomain\Run_SQLSrv running SQL Server, SQL Agent on VurtSQLSrv and Reporting Services Services on SSRS Server.

    mssqlsvc/VurtSQLSrv:MyInstance

    mssqlsvc/VurtSQLSrv.MyDomain.com:MyInstance

    http/MySSRSServer

    http/MySSRSServer.MyDomain.com

    AD Settings for MyDomain\Run_SQLSrv are set as follows:

    Checked off - Trust this user for Delegation for any service (Kerberos only)

    Un-Checked - Account is sensitive and cannot be delegated

    On the SSRS and SQL Server Nodes

    RSReportServer Config file has the following entries

    <AuthenticationTypes>

    <RSWindowsNegotiate />

    <RSWindowsNTLM />

    We've tried adding in the Port for the SPN, removed, them, etc..... but the login message keeps coming up.

    A few of us have read just about every article there is on this but can't seem to get past this issue.

    Are we formatting the SPN's correctly for a clustered instance with a named instance?

    Do we need to include the Virtual Server Name \ Instance Name : Port Number?

    (We've tried this with no luck but before we updated the RSReportServer.config on the Cluster Node for the Virtual Sql Server)

  • October 22, 2012 at 8:39 am

    #1551406

    Issue has been resolved. Needed to update SPN with two new entries.

    --Original

    mssqlsvc/VurtSQLSrv:MyInstance

    mssqlsvc/VurtSQLSrv.MyDomain.com:MyInstance

    http/MySSRSServer

    http/MySSRSServer.MyDomain.com

    --Working Settings

    mssqlsvc/VurtSQLSrv.MyDomain.com

    mssqlsvc/VurtSQLSrv.MyDomain.com:PortNumber

    mssqlsvc/VurtSQLSrv:MyInstance

    mssqlsvc/VurtSQLSrv.MyDomain.com:MyInstance

    http/MySSRSServer

    http/MySSRSServer.MyDomain.com

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply