Connect to linked server failed - double hop problem?

Question

Post reply

Connect to linked server failed - double hop problem?

domenm

Old Hand

Points: 367
More actions
December 24, 2018 at 6:15 am

#381045

Hello,
I'm having trouble connection to remote server via linked server.
Here is my configuration:
A (my workstation, ssms client)
B middle SQL server (linked server --> C)
C target SQL server
So, when I connect to SQL server B from my laptop (ssms) and try to connect (test connection) to linked server C from there I get the error:

Here's what I have found so far:
- If I RDP to server B directly, I can access linked server C with no problem - looks like typical double hop kerberos problem.
- SELECT net_transport, auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid;
Returns 'TCP' and 'KERBEROS', so my session got kerberos auth.
- I'm using windows authentication. SPNs seems so be registered correctly for SQL service accounts (B an C)
setspn -L returns SPNs for SQL service account:
MSSQLSvc/*********:1433
MSSQLSvc/*******.****.com:1433
- Service accounts are set for unconstrained delegation (selected option "Trust this user for delegation to any service (Kerberos Only)")
- user account who is logged to laptop A has option "Account is sensitive and cannot be delegated" unchecked
- Linked server is configured with “Be made using the login’s current security context”
So, regarding kerberos everything seems to be configured correctly, but the connection still doesn't work from my laptop.
The most interesting thing is that from my coworkers laptop the connection works fine!
Both laptops use Windows 10, SSMS v 17.9.1, we both login with Windows domain accounts.
If I login to coworkers laptop with my username, it works, so it is not related with user account, but has something to do with some specific settings on my machine. Drivers?
So, what I'm I missing here?
Any ideas would be appreciated! Thanks!
Regards,
Domen

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply

Super Cat SSCertifiable Points: 7332 More actions · Answer 1

https://www.microsoft.com/en-gb/download/details.aspx?id=39046

Try this is see what your problem is. It would seem to be a typical Kerberos issue.
SPNs Delegation etc etc.

Super Cat SSCertifiable Points: 7332 More actions · Answer 2

I believe you load it on the laptop not the SQL Server

domenm Old Hand Points: 367 More actions · Answer 3

Hi Super Cat,
thanks for your reply. We have already tried with 'Kerberos Configuration Manager', but it haven't found any issues.
Actually, we have discovered what was causing the trouble - it was the Windows Defender Credential Guard, which is not compatible with Kerberos unconstrained delegation.
Please see :
https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-considerations and also
https://www.sqlservercentral.com/Forums/1876883/Linked-Servers-Windows-10-Credential-Guard

Regards,
Domen

Super Cat SSCertifiable Points: 7332 More actions · Answer 4

Super Cat

SSCertifiable

Points: 7332

January 10, 2019 at 7:41 am

#2018524

'Windows Defender Credential Guard' Noted.

Super Cat SSCertifiable Points: 7332 More actions · Answer 5

Googled it.
https://searchenterprisedesktop.techtarget.com/definition/Microsoft-Windows-Defender-Credential-Guard

Never heard of it. But know about it now.
Every day is a school day.