February 8, 2018 at 6:11 am
I have got this working when the SQL Service is using Local System or Network Service and applied all the correct SPN's and enabled delegation for CIFS on the computers in AD.
February 8, 2018 at 8:31 am
matthew.butler 32881 - Thursday, February 8, 2018 6:11 AMI have got this working when the SQL Service is using Local System or Network Service and applied all the correct SPN's and enabled delegation for CIFS on the computers in AD.Any calls via my CLR procedure will impersonate a user and retrieve what directories/files are available to the users domain account.I am attempting to get this working now using a group managed service account. The SQL Service is running as this new account, I have applied the MSSQLService SPN's to the gmsa, I have enabled the gmsa for trusted delegation (in constrained).The impersonation does not seem to work accessing a UNC via this way. Is this not supported in these type of accounts as connecting to another sql server machine after impersonating seems to manage the double hop okay, just not accessing network resources.Any quick help or guidance would be appreciated as reverting back to a system account or a non managed domain account for the service logon is not an option.Thanks
Try enabling Kerberos Protocol Transition. Some of it is explained in this MS document:
Kerberos Constrained Delegation May Require Protocol Transition in Multi-hop Scenarios
This article discusses it further and hows how to enable it:
Kerberos Protocol Transition and Constrained Delegation
Sue
February 9, 2018 at 10:17 am
I ran into similar issue months ago. It works well after Network guy help to
1. Grant permission on CIFS share to gMSA
2. Launch ADUC and add the gMSA to some security group
Unfortunately, in the company, DBA don't have permission on AD and I don't know the very details.
GASQL.com - Focus on Database and Cloud
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply