February 2, 2011 at 12:26 am
Please suggest what happens if my auth_scheme is NTLM but not Kerberos.
In which situation which type of auth scheme is useful?
Please suggest..
Thanks.
February 3, 2011 at 5:57 am
I believe Kerberos is more secure as it does not pass credentials around - instead it passes some sort of "ticket". But other folks can better speak to that. What I want to mention is where I personally saw the greatest benefit - the handling of linked server permissions.
We have many linked servers here and from an administrative perspective it is much easier to configure security using the option "Be made using the login's current security context". If you don't use that option you continually have to create SQL logins on the remote server to map folks to (unless you map everyone to the same login, however, that generally isn't practical because everyone needs different permissions)...it's a headache.
A query that uses a linked server involves a "double hop" - the connection from the client to SERVER1 is the first hop, then across the linked server from SERVER1 to SERVER2 is the second hop. Only Kerberos will pass the credentials from SERVER1 to SERVER2, NTLM will not.
February 9, 2011 at 4:24 am
The above is 100% correct.
No Kerberos = No double hop.
You set the SPN for each server and deletegate to the common account and off you go.
February 9, 2011 at 1:20 pm
Thanks Guys !
Thanks.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply