I have heard some IT professionals call it, “the impossible IT problem” or even a “showstopper”. Others are utterly amazed when it is solved because they view it as an overly complex problem. But, what are we talking about?
… the infamous Kerberos double hop scenario … where you receive …
… Login failed for user ‘NT AUTHORITY\ANONYMOUS LOGON’ …
However, when you come to understand the problem, the solution is not really that difficult. In this post, I am not going to document step-by-step what you need to do. I feel that there are numerous blog posts and whitepapers that can easily be found on the internet that well document this issue. But rather, I am going to give a high level overview of the issue, and direct your attention to a few posts that will not only help you to understand the problem, but also implement a solution.
What is Kerberos?
- Kerberos is a computer network authentication protocol which works on the basis of “tickets” to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It was designed for a client–server model and it provides mutual authentication—both the user and the server verify each other’s identity.
What really is the double hop issue?
- Kerberos Double Hop is a term used to describe the method of maintaining the client’s Kerberos authentication credentials over two or more connections. In this fashion, we can retain the user’s credentials and act on behalf of the user in further connections to other servers.
- This issue may arise for a DBA when an application or user wants to use windows authentication to access a SQL Server, where they have rights, in the following scenarios:
- Using a linked server to connect from SQL Server A to SQL Server B
- Viewing a report in Reporting Services that connects to SQL Server
- Using a web application or other front-end applications (i.e. SharePoint, Excel, etc.) that accesses data from a SQL Server
How do we implement the solution for the Kerberos double hop issue?
- The basic idea is that we have to enable trusted delegation in active directory for the computers and service accounts involved and make sure that you set the appropriate SPNs (Service Principal Names: http://msdn.microsoft.com/en-us/library/windows/desktop/ms677949(v=vs.85).aspx). This will most likely involve coordination from a database administrator and an active directory domain administrator.
- Whitepaper on How to Implement Kerberos Constrained Delegation with SQL Server 2008: http://msdn.microsoft.com/en-us/library/ee191523(SQL.100).aspx
- How to set up a Kerberos Authentication Scenario with SQL Server Linked Servers: http://blogs.msdn.com/b/farukcelik/archive/2008/01/02/how-to-set-up-a-kerberos-authentication-scenario-with-sql-server-linked-servers.aspx
- Enabling Kerberos Authentication for Reporting Services: http://blogs.technet.com/b/rob/archive/2011/11/23/enabling-kerberos-authentication-for-reporting-services.aspx
- Configure Kerberos authentication for SharePoint 2010 Products: http://technet.microsoft.com/en-us/library/ff829837(v=office.14).aspx
- Kerberos Checklist: http://blogs.msdn.com/b/psssql/archive/2010/06/23/my-kerberos-checklist.aspx
- Microsoft Kerberos Configuration Manager for SQL Server: http://blogs.msdn.com/b/analysisservices/archive/2013/05/23/released-kerberos-configuration-manager-for-sql-server.aspx
Well, hopefully this post helps you to understand not only what the Kerberos double hop problem is, but also how to implement the solution.