Join Log in
Score:0
AnJ avatar Server

Kerberos - configure constrained delegation using SQL Server's virtual accounts

cn flag
AnJ

I'm trying to setup Kerberos constrained delegation to solve my double hop problem.

I'm using standard SQL Server configuration with Virtual Account (NT SERVICE\MSSQLSERVER) as a service account for all my instances.

When I'm trying to perform double hop query via Linked Server I get this typical error:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'

The setup looks like this:

User Computer > HOP > SQL Server A > HOP (Linked Server) > SQL Server B

And my query is just basic Select just for testing. Like this:

Select * From [Server B].[DB].[Scheme].[Table]

Using Kerberos Configuration Manager for SQL Server I verified SPNs and delegation settings for my servers.

SPNs are configured automatically: enter image description here

And delegation is set to None: enter image description here

I also checked what type of authentication does SQL Server uses. To check this I ran this query on Server A (from this article):

SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid ;

And got NTLM as a response.

According to this results it seems like I'm missing delegation settings. But my question is how should I go about it?

I've read countless articles and post and I still can not figure it out. It seems like it should be possible to just use default Virtual Account for this. But every tutorial I've found talks about either Domain Accounts or Managed Service Accounts. In such cases we have this accounts present inside Active Directory, but what about default virtual accounts? This accounts are local - how do I grant delegation permissions to them?

Should I grant delegation permission on the machine? But how?

I tried doing this. I went over to Active Directory, opened my Server A computer object and did this:

enter image description here

So it should allow Server A to delegate to Server B. But it still does not work. And Kerberos Configuration Manager still shows None as delegation type.

I'm using Windows Server 2019 and SQL Server 2019.

@EDIT

I tried using different setting. Instead of "Kerberos only" I selected "Use any authentication protocol" and after like 10 minutes it started working!.

It all makes sense now as SSMS connection still was done with NTLM the "Kerberos only" settings wouldn't work.

But the question is why it is still using NTLM? Is it bad and I should try to change it? If so - how?

61
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.