June 22, 2016 at 8:55 am
Interesting, much appreciate the feedback. I've lost count of how many times I've visited the Kevin Holman blog when looking at SPNs!
I have also encountered numerous problems in getting Kerberos auth to work; fortunately, up until now, silently falling back to NTLM has not been a major problem.
I have played with all kinds of SPNs, delegation-of-authority and Kerberos Constrained Delegation settings; I don't think I've ever got Kerberos to work without using the FQDN. I'm still experimenting....
Andy
June 23, 2016 at 1:00 am
"[Delegation is] what you need if you want to be a Record Breaker!" - Sorry hum the theme tune in the office every time I think of Delegation - was UK TV show. Sorry if I've got you doing it as well now.
Kerberos gets more interesting when you have Reporting Services, CNAME's but particularly SharePoint. For those to work I've had to had the delegation enabled on the service account for SQL Server, whilst I'd like to have constrained delegation, its just one step too far for my environment. I've also had registered the fully qualified SPN's for say the RS servers for their computer accounts and any CNAME's.
Up till now I've only ever had registered the fully qualified domain names for anything. Sure I've had my issues with delegation. I've used Microsoft Kerberos Configuration Manager to look for issues, but most of the time that told me what I knew from looking at AD and using setspn against the service account - (FYI by default I believe anyone in a domain can read SPN information, so whilst you may not be able to register SPN's you can still use it to list them out).
Back on topic. I installed the 1st June 2016 SSMS on my Windows 2016 Preview VM.
So SQL Management Studio 2016 - yes that's still working with the Hostname/NetBIOS name.
SQLOS 2016 - Well unfortunately they've altered that as well, its now behaving the same as SQLCMD.
Now I know what everyone is thinking... what about PowerShell and invoke-sqlcmd? (Ok not everyone was thinking of it, but you are now...) I mean surely that's going to run and mirror SQLCMD? Erm... No.
PS C:\Windows\system32> invoke-sqlcmd -ServerInstance MyServerHostName -Query "SELECT auth_scheme FROM s
ys.dm_exec_connections WHERE session_id = @@SPID"
auth_scheme
-----------
KERBEROS
PS C:\Windows\system32> $PSVersionTable.PSVersion
Major Minor Build Revision
----- ----- ----- --------
5 1 14300 1000
:crazy:
June 28, 2016 at 4:47 am
My support ticket has been closed out as a product bug, hopefully this will thus be resolved in a future CU or SP.
Viewing 3 posts - 16 through 17 (of 17 total)
You must be logged in to reply to this topic. Login to reply