The Kerberos Double Hop Problem

I have heard some IT professionals call it, “the impossible IT problem” or even a “showstopper”.  Others are utterly amazed when it is solved because they view it as an overly complex problem.  But, what are we talking about?

… the infamous Kerberos double hop scenario … where you receive …

… Login failed for user ‘NT AUTHORITY\ANONYMOUS LOGON’ …

However, when you come to understand the problem, the solution is not really that difficult.  In this post, I am not going to document step-by-step what you need to do.  I feel that there are numerous blog posts and whitepapers that can easily be found on the internet that well document this issue.  But rather, I am going to give a high level overview of the issue, and direct your attention to a few posts that will not only help you to understand the problem, but also implement a solution.

What is Kerberos?

What really is the double hop issue?

  • Kerberos Double Hop is a term used to describe the method of maintaining the client’s Kerberos authentication credentials over two or more connections.  In this fashion, we can retain the user’s credentials and act on behalf of the user in further connections to other servers.
  • This issue may arise for a DBA when an application or user wants to use windows authentication to access a SQL Server, where they have rights, in the following scenarios:

How do we implement the solution for the Kerberos double hop issue?

Well, hopefully this post helps you to understand not only what the Kerberos double hop problem is, but also how to implement the solution.

Advertisements
This entry was posted in DBA, Security and tagged , , , . Bookmark the permalink.

One Response to The Kerberos Double Hop Problem

  1. Richard Anderssen says:

    Nice overview and good links! Thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s