May 18, 2017 at 5:59 am
Hello,
Does anybody know to configure Linked Servers to work with Windows 10 Credential Guard?
I get Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' after enabling Credential Guard on our clients.
I can no longer connect to the linked server from my Windows 10 client.
However, the connection works from Windows Server.
Linked Server is configured as:
@srvproduct=N'SQL Server'
@useself=N'True',@locallogin=NULL,@rmtuser=NULL,@rmtpassword=NULL
Regards,
/Fari
May 18, 2017 at 12:20 pm
I have no idea what Credential GUard is, but it looks like you are running into a standard double-hop issue...Client to Server to Server.
https://technet.microsoft.com/en-us/library/ms189580(v=sql.105).aspx
------------------------------------------------------------------------------------------------Standing in the gap between Consultant and ContractorKevin3NFDallasDBAs.com/BlogWhy is my SQL Log File HUGE?!?![/url]The future of the DBA role...[/url]SQL Security Model in Plain English[/url]
May 18, 2017 at 11:16 pm
Kevin3NF - Thursday, May 18, 2017 12:20 PMI have no idea what Credential GUard is, but it looks like you are running into a standard double-hop issue...Client to Server to Server.
https://technet.microsoft.com/en-us/library/ms189580(v=sql.105).aspx
Hi Kevin,
Credential Guard is a new feature in Windows 10 Enterprise and Windows Server 2016 that prevents fishing, … feature we have enabled in our company.
https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard
We have a workaround now, by logging to server when developing, testing, … But it is not a solution. You can't even run a select from a client:
Msg 18456, Level 14, State 1, Line 1
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
I haven’t tested the connection using SQL Server login, we don’t see that as an alternative solution.
I’m am going to test the connection from our Windows 2016 environment. It should not work there either.
Regards,
Fari
May 19, 2017 at 5:51 am
fari.sah - Thursday, May 18, 2017 11:16 PMKevin3NF - Thursday, May 18, 2017 12:20 PMI have no idea what Credential GUard is, but it looks like you are running into a standard double-hop issue...Client to Server to Server.
https://technet.microsoft.com/en-us/library/ms189580(v=sql.105).aspxHi Kevin,
Credential Guard is a new feature in Windows 10 Enterprise and Windows Server 2016 that prevents fishing, … feature we have enabled in our company.
https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard
We have a workaround now, by logging to server when developing, testing, … But it is not a solution. You can't even run a select from a client:Msg 18456, Level 14, State 1, Line 1
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
I haven’t tested the connection using SQL Server login, we don’t see that as an alternative solution.
I’m am going to test the connection from our Windows 2016 environment. It should not work there either.Regards,
Fari
Correct...please read the part of the linked doc where the AD account:
"The user Active Directory property, Account is sensitive and cannot be delegated, must not be selected."
Please verify this for the account you are connecting with from the client.
------------------------------------------------------------------------------------------------Standing in the gap between Consultant and ContractorKevin3NFDallasDBAs.com/BlogWhy is my SQL Log File HUGE?!?![/url]The future of the DBA role...[/url]SQL Security Model in Plain English[/url]
May 21, 2017 at 10:50 pm
Kevin3NF - Friday, May 19, 2017 5:51 AMfari.sah - Thursday, May 18, 2017 11:16 PMKevin3NF - Thursday, May 18, 2017 12:20 PMI have no idea what Credential GUard is, but it looks like you are running into a standard double-hop issue...Client to Server to Server.
https://technet.microsoft.com/en-us/library/ms189580(v=sql.105).aspxHi Kevin,
Credential Guard is a new feature in Windows 10 Enterprise and Windows Server 2016 that prevents fishing, … feature we have enabled in our company.
https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard
We have a workaround now, by logging to server when developing, testing, … But it is not a solution. You can't even run a select from a client:Msg 18456, Level 14, State 1, Line 1
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
I haven’t tested the connection using SQL Server login, we don’t see that as an alternative solution.
I’m am going to test the connection from our Windows 2016 environment. It should not work there either.Regards,
FariCorrect...please read the part of the linked doc where the AD account:
"The user Active Directory property, Account is sensitive and cannot be delegated, must not be selected."
Please verify this for the account you are connecting with from the client.
Hi,
Iused my domain admin account which has the correct properties.
May 22, 2017 at 5:57 am
Did it work before Credential Guard was in place, when running queries from the client?
------------------------------------------------------------------------------------------------Standing in the gap between Consultant and ContractorKevin3NFDallasDBAs.com/BlogWhy is my SQL Log File HUGE?!?![/url]The future of the DBA role...[/url]SQL Security Model in Plain English[/url]
May 22, 2017 at 6:13 am
Kevin3NF - Monday, May 22, 2017 5:57 AMDid it work before Credential Guard was in place, when running queries from the client?
Yes Kevin, it did! We tested disabling Credential Cuard on a client and it worked as it did Before, so the problem is Credential Guard.
Regards
/Fari
May 22, 2017 at 6:53 am
Best suggestion I have for you:
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations
------------------------------------------------------------------------------------------------Standing in the gap between Consultant and ContractorKevin3NFDallasDBAs.com/BlogWhy is my SQL Log File HUGE?!?![/url]The future of the DBA role...[/url]SQL Security Model in Plain English[/url]
May 22, 2017 at 7:38 am
Kevin3NF - Monday, May 22, 2017 6:53 AMBest suggestion I have for you:
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations
Thanks Kevin! I'll get back to you after checking this up 🙂
May 24, 2017 at 2:51 am
fari.sah - Monday, May 22, 2017 7:38 AMKevin3NF - Monday, May 22, 2017 6:53 AMBest suggestion I have for you:
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstationsThanks Kevin! I'll get back to you after checking this up 🙂
It could work if we disable the Credenial Guard on the PAW workstation/server. But we are looking for Another solution.
Regards /Fari
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply