February 26, 2015 at 2:27 pm
Hey all,
Here's the setup.
Server A
- Instance1
- Instance2
- Instance3
Server B
- Instance1
- Instance2
- Instance3
Each instance has a dedicated IP + port that is set to 1433. I can connect to each instance by name and by IP without issue.
I then have a DNS alias in front of each IP.
- From Server A, I can connect to all 3 aliases for Server B
- From Server A, I can NOT connect to any of the instances for Server A
- The same goes for the other way around
When connecting, I get the is from an untrusted domain. I check the error log and I'm getting the SSPI handshake error.
Checking auth_scheme from sys.dm_exec_connections, shows all my connections coming in under ntlm.
Each instance has an SPN, with no port specified. I've manually added a new entry for port 1433, and still the same issue persists.
Help would be most appreciated.
Thank you!
February 27, 2015 at 9:51 am
can you list out the SPNs and post details of them, obfuscate any names first obviously
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
February 27, 2015 at 3:10 pm
you could try microsoft kerberos configuration manager to help troubleshoot.
you could try creating SPN with instance name.
ex
MSSQLSvc/servera.domain.com:instance1
MSSQLSvc/servera.domain.com:instance2
MSSQLSvc/servera.domain.com:instance3
March 1, 2015 at 10:01 pm
It sounds like a bit of an odd setup (or perhaps I'm just misunderstanding the setup).
Are you saying that on the one server you have three instances each listening on their own (unique) IP, but all listening on port 1433? Normally I would expect it to be the other way around (same IP, different port) unless they're clustered instances, in which case the virtual cluster host IP address will of course be different.
March 2, 2015 at 5:45 am
I must admit I too would expect a single IP address but different ports for each instance.
Could you get back to us on that?
March 2, 2015 at 6:36 am
Ended up resolving it later that day.
In order to do DNS aliasing, a given SQL instance must listen on 1433 for resolution without specifying instance name.
My issue stemmed from the fact that I was lacking an SPN on the alias. Historically I've only ever done this with FCI's, not multi instanced single machines. With an FCI, you don't need to manually add an SPN for the alias; however as I learned in this scenario, I needed it.
Thanks!
March 2, 2015 at 6:39 am
Glad you got it sorted.
March 2, 2015 at 7:15 am
Ah I see, the alias is the antecedent and not an attempt to solve the problem. That makes sense.
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply