Post reply

SQL Availability Group and Double Hop Issue

  • April 21, 2016 at 10:39 am

    #325861

    Hello,

    I am running into a problem that I am hoping someone might be able to shed some light on.

    We currently have an application that is running through IIS to a SQL Server that is working without issue. We have added a node to this database server and made it a SQL AG. The SQL AG is up and working fine.

    When the application is pointed directly at the primary node everything works as expected. However, when we try to use the AG Listener the Windows AD credentials are not passed and it attempts to authenticate as NT AUTHORITY\ANONYMOUS LOGON.

    We have setup the SPNs for the AG listener so that shouldn't be the issue.

    Does anyone have any thoughts or insights on what we should be looking at?

    Thanks

    Jim

  • April 21, 2016 at 1:13 pm

    #1873771

    We have reference a number of different articles on the topic of double hops, but none of them seem to help us resolve the issue.

    I am not sure if there is something additional that is needed for a SQL AG.

    This is the article we have found the most helpful so far:

    https://blogs.msdn.microsoft.com/sqlupdates/2014/12/05/sql-server-kerberos-and-spn-quick-reference/

  • April 22, 2016 at 2:25 am

    #1873842

    It's hard to know without seeing your connection string. Does it work when you connect to the listener through SSMS with the AD credentials?

  • April 22, 2016 at 3:47 am

    #1873850

    Hi there,

    Troubleshooting the Double hoop is is indeed a tricky thing.

    There aren't many helpful posts/blogs/forum threads about it .

    Try downloading Microsoft® Kerberos Configuration Manager for SQL Server and see if your SPNs are indeed configured properly.

    Also you can check if the Listener object in the Active directory has Kerberos delegation enabled.

    Good luck.

    Please share how you solved it if you succeed.

    Roni.

  • April 22, 2016 at 12:59 pm

    #1874014

    We found the problem, turns out the issue was SSRS and not IIS. Once I updated the .config file for SSRS to use Kerberos

    We needed to add this entry:

    <Authentication>

    <AuthenticationTypes>

    <RSWindowsNegotiate/>

    </AuthenticationTypes>

    <EnableAuthPersistence>true</EnableAuthPersistence>

    </Authentication>

    http://blogs.technet.com/b/rob/archive/2011/11/23/enabling-kerberos-authentication-for-reporting-services.aspx

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply