October 1, 2002 at 7:07 am
Hello guys,
please, help me with the problem of linked servers.
The short descr. of environment :
- 2 NT4 member servers (SQL 7.0) in one resource NT4 domain
- one NT4 logon domain
- resource domain trusts the logon domain
- one account from logon domain is an SQL system admin for both servers
- sysadmin role is assigned to NT local groups defined on the member servers
- above mentioned account gets sysadmin priviledge via memberships in local NT groups.
- a linked server has been created on one server (connection to the second one)
Although I've choosen "they will be impersonated" at the "Security" tab (Enterprise Manager, Linked Servers, <server>, Properties), if I want to "do" anything I receive always the error message :
Server: Msg 18456, Level 14, State 1, Line 1
Login failed for user '\'.
The problem is very good described at
http://www.ntsecurity.net/Articles/Index.cfm?ArticleID=23471
but the solution is only for W2000 servers.
I do need something for NT4/SQL7 environment.
Could you please give me some hint, at least ?
October 1, 2002 at 7:12 am
Sounds like a double-hop issue and there's no work around if you want to use NT authentication all the way through. Double-hop is prohibited in NTLM (the security mechanism for NT 4.0 domains) by design.
The work around is to have one of the hops via a SQL Server login. I know, this goes against Microsoft's best practice of NT authentication everywere, but with NTLM there's no way around it.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
October 1, 2002 at 7:20 am
Hello Brian,
I'm amazed with the swiftness of your reply!
Thank you very much.
Unfortunatelly, your answer confirms what I've been afraid of.....
October 1, 2002 at 9:05 am
Keep in mind if you are simply talking between the two servers (and not needing to use the linked server connection from another client), the double-hop issue won't occur. In that case it's server to server, a single hop. It will mean, however, if you're building queries for a SQL Server job you'll need to test your query on the server itself, either by logging on at the console or by using some sort of console-like remote access such as Terminal Services.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply