Kerberos Authenticaion
Nov 10, 2007
Hi,
We are using SQLServer 2005 SP2. I successfully registered SPN and TCP is enabled and order of protocol are
Shared Memory 1
TCP 2
Names Pipes 3
when I am running
select auth_scheme from sys.dm_exec_connections where session_id=@@spid
still getting NTLM. I disabled all protocol in local client except TCP with no avail.
Interstingly when I am using SQLServer 2000 client where TCP is enabled and first in order in Clinet netwrok it is working OK and I am getting KERBEROS.
Please help to resolve.
Thanks
--
Farhan
View 7 Replies
Oct 4, 2007
I have a strange problem.
On almost all clients I can connect to mys database server using sqlcmd -S <server> and the connection is authenticated using kerberos.
One one of my clients the command fails. When I have Named Pipes enabled the connection works fine but is made with NTLM authentication.
All servers and clinets are members of the same domain and thay are ll on the same LAN segment. No firewalls are active anywhere.
Where do I look for a solution?
View 3 Replies
View Related
Mar 15, 2007
i have a cluster running win2k and SQL server2k, the app on the server uses kerberos authentication. all works fine until we need to flip the cluster over - then the registration of the SPN fails - this means we need to keep registering the SPN manually - a bit of a pain and sometimes people foget to register it causing us lots of grief.
does anyone know of a way we can get the SPN to register automatically?
View 1 Replies
View Related
Mar 12, 2008
Hi,
For last 2 days, I'm struggling to integrate WSS 3.0 with SP1 with SQL Server 2005 Reporting Services with SP2 with Kerberose authentication.
And finally I'm stuck
At the moment I've got 2 issues, one is when "Set defaults" on Central Administration site, second is when I'm trying to browse the reporting server for report €“ using Report Viewer webpart configuration (when selecting "Report").
Before I will go futher with errors message, here is my configuration:
WSS 3.0 with SP1 and Reporting Services Add-in:
Computer: SharePoint02 | SharePoint02.led.local
Portal url: http://sharepoint02 | http://sharepoint02.led.local
Admin url: http://sharepointadmin02 | http://sharepointadmin02.led.local
Portal App Pool: LEDSPContentPool
Admin App Pool: LEDSPConfigAcct
SQL Server 2005 with SP2, Reporting Services with SP2, WSS 3.0 with SP1 Front End:
Computer: SharePointDB | SharePointDB.led.local
Front End Portal url: http://sharepointdb | http://sharepointdb.led.local
URL to reporting services: http://sharepointdb/SPSReportServer | http://sharepointdb.led.local/SPSReportServer
Front End App Pool: LEDSPContentPool
Reporting Services App Pool: LEDSPConfigAcct
Report Server Service Account: LEDSPConfigAcct
SQL Server Account: LEDSPConfigAcct
I know I should have separate account.
Service Principals (SPContentPool):
Registered ServicePrincipalNames for CN=SPContentPool,CN=Users,DC=LED,DC=LOCAL:
HTTP/sharepoint02
HTTP/sharepoint02.led.local
Service Principals (SPConfigAcct):
Registered ServicePrincipalNames for CN=SPConfigAcct,CN=Users,DC=LED,DC=LOCAL:
HTTP/sharepointdb
HTTP/sharepointdb.led.local
MSSQLSrv/sharepointdb.led.local:1433
HTTP/sharepointadmin02.led.local
HTTP/sharepointadmin02
Reporting add-in is activated, I'm able to specify the report server (http://sharepointdb.led.local/SPSReportServer) and to grant permission.
1) FIRST ISSUE
However when I'm trying to set the defaults for Reporting Services from Central administration I'm getting following error:
The target location you specified is not supported by the report server. A report definition (.rdl), report model (.smdl), resource, or shared data source (.rsds) file must be located within a library or a folder within it. ---> The target location you specified is not supported by the report server. A report definition (.rdl), report model (.smdl), resource, or shared data source (.rsds) file must be located within a library or a folder within it.
Reporting Server error message is:
w3wp!library!1!03/12/2008-12:15:23:: e ERROR: Throwing Microsoft.ReportingServices.Diagnostics.Utilities.ContainerTypeNotSupportedException: The target location you specified is not supported by the report server. A report definition (.rdl), report model (.smdl), resource, or shared data source (.rsds) file must be located within a library or a folder within it., ;
Info: Microsoft.ReportingServices.Diagnostics.Utilities.ContainerTypeNotSupportedException: The target location you specified is not supported by the report server. A report definition (.rdl), report model (.smdl), resource, or shared data source (.rsds) file must be located within a library or a folder within it.
w3wp!library!1!03/12/2008-12:15:39:: Call to GetDataSourceContentsAction(http://sharepoint02.led.local/lrs/Reports/SHAREPOINTDB.rsds).
w3wp!library!5!03/12/2008-12:15:49:: Call to GetDataSourceContentsAction(http://sharepoint02.led.local/lrs/Reports/SHAREPOINTDB.rsds).
w3wp!library!1!03/12/2008-12:15:52:: Call to GetDataSourceContentsAction(http://sharepoint02.led.local/lrs/Reports/SHAREPOINTDB.rsds).
w3wp!library!1!03/12/2008-12:15:55:: Call to GetDataSourceContentsAction(http://sharepoint02.led.local/lrs/Reports/SHAREPOINTDB.rsds).
w3wp!library!1!03/12/2008-12:16:07:: Call to GetDataSourceContentsAction(http://sharepoint02.led.local/lrs/Reports/SHAREPOINTDB.rsds).
w3wp!library!1!03/12/2008-12:16:59:: Call to GetDataSourceContentsAction(http://sharepoint02.led.local/lrs/Reports/SHAREPOINTDB.rsds).
w3wp!library!1!03/12/2008-12:17:11:: Call to GetPermissionsAction(http://sharepoint02.led.local/lrs/Reports/TestSharepoint.rdl).
This error message then repeats few times, usually always after:
w3wp!library!5!03/12/2008-11:18:16:: Call to GetSystemPropertiesAction().
2) SECOND ISSUE
When the I'm trying to add Report Viewer (I'm logged as Portal administrator) and then select the report from web part settings, I'm getting:
Server was unable to process request. ---> The request failed with HTTP status 401: Unauthorized.
When I'm looking at the Event log in SharePointDB I see Anonymous login:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 12/03/2008
Time: 12:13:07
User: NT AUTHORITYANONYMOUS LOGON
Computer: SHAREPOINTDB
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x12C0209E)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SHAREPOINT02
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.192.65.67
Source Port: 1705
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Is there any chance to solve these issues? What did I done wrong?
I would really appreciate any help!
Cheers,
Jakub G
View 1 Replies
View Related
Aug 10, 2007
Hello,
I have configured Kerberos delegation for several web services. One of the web service calls SSIS packages, but the packages don't run with the expected impersonate user : the package starts with the imporsonate user, but continue with ASPNET user (which is not allowed to execute SSIS and connect to DB).
If the web service is called directly (no delegation), SSIS packages run with the correct user. It looks like than there is an autenthicate issue, but kerberos is configured and web services can run from one to another with the impersonate user. The issue occured only when I call SSIS packages.
Here is a extract of the SSIS log file :
Code Snippet <dtslog>
<record>
<event>PackageStart</event>
<message>Beginning of package execution.
</message>
<computer>WKS-GE-BRAZILIA</computer>
<operator>WKS-GE-BRAZILIAPascal.Brun</operator>
<source>ImportMonthlyCSV</source>
<sourceid>{D053CB99-FDE4-492D-83BC-821E1B34704B}</sourceid>
<executionid>{EA9C1929-4131-4FDD-A6FC-560E01A65536}</executionid>
<starttime>09.08.2007 17:31:02</starttime>
<endtime>09.08.2007 17:31:02</endtime>
<datacode>0</datacode>
<databytes>0x</databytes>
</record>
<record>
<event>OnError</event>
<message>SSIS Error Code DTS_E_CANNOTACQUIRECONNECTIONFROMCONNECTIONMANAGER. The AcquireConnection method call to the connection manager "Data Warehouse" failed with error code 0xC0202009. There may be error messages posted before this with more information on why the AcquireConnection method call failed.
</message>
<computer>WKS-GE-BRAZILIA</computer>
<operator>WKS-GE-BRAZILIAASPNET</operator>
<source>Import CSV</source>
<sourceid>{284D3166-F372-4B03-86C1-75A4D8DC9A5C}</sourceid>
<executionid>{EA9C1929-4131-4FDD-A6FC-560E01A65536}</executionid>
<starttime>09.08.2007 17:31:02</starttime>
<endtime>09.08.2007 17:31:02</endtime>
<datacode>-1071611876</datacode>
<databytes>0x</databytes>
</record>
...
Any help is required.
Thanks in advance.
View 4 Replies
View Related
Jul 30, 2015
I use DNS alias to access my database server:
server name is -> SRV100
DNS Alias is -> SQLPROD
I've noticed that, using Windows authentication, if I connect to the server using its server name, the DB Engine uses Kerberos authentication scheme (as it is supposed to do) but if I use Kerberos authentication, I see that the DB Engine uses the NTLM authentication
scheme
select client_net_address,auth_scheme from sys.dm_exec_connectionsÂ
I need to use DNS alias to connect to my server and I want to use Kerberso auth scheme.
View 4 Replies
View Related
May 21, 2008
Like many others, I am have trouble getting this to work, and none of the solutions I have found on the inter-tubes seems to work for me:
"An unexpected error occurred while connecting to the report server. Verify that the report server is available and configured for SharePoint integrated mode. --> The request failed with HTTP status 401: Unauthorized."
The Setup:
MOSS/SSRS (Integration Mode) running on a server farm on a single server: myserver.mydomain.org
Service Account for all Services: mydomainmyaccount (trusted for delegation, member of IIS_WPG)
myserver trusted for delegation
SSAS running under Local System on ssas.mydomain.org.
SETSPN -L mydomainmyaccount results:
HTTP/myserver.mydomain.org
HTTP/myserver
MOSS Authentication Settings
Authentication Type = Windows
Default Authentication Provider = Negotiate (Kerberos)
Anonymous access not enabled
IIS Settings
SSRS on Default Web Site: Port 8080
Application Pool Identity mydomainmyaccount
NTAuthenticationProviders="Negotiate,NTLM"
Security: Windows Authentication
MOSS on Sharepoint-80 Site: Port 80
Application Pool Identity mydomainmyaccount
NTAuthenticationProviders="Negotiate,NTLM"
Security: Basic Authentication except _vti_bin/ReportServer is Windows Authentication
The idea is to use kerberos to pass credentials from SSRS reports running on myserver.mydomain.org to SSAS on ssas.mydomain.org.
View 1 Replies
View Related
Oct 17, 2007
Hi all,
I have an issue with an SQL cluster.
I have two MS Windows 2003 Server Ent Ed. SP2 in cluster. They have MS SQL Server 2005 in cluster.
I have created and endpoint and when I try to access I get the attached error in client machine. This problem only occurs in cluster configuration, because the same installation in an SQL (no cluster) works fine.
EventID: 4 Source: Kerberos
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/fra-lille-hel03.ea.holcim.net. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (EA.HOLCIM.NET), and the client realm. Please contact your system administrator.
Anybody knows how to solve it?
Thanks in advanced.
View 1 Replies
View Related
Jul 6, 2015
I ran into a Kerberos authentication issue because of a missing AOAG SPN. Some of the tickets that granted me access to the nodes of the AOAG cluster were using the encryption type that I would expect. However, the MSSQLSvc SPNs were not using what I would expect!
klist
#XX> Client Somebody@somedomain.com
Server: RPCSS/MySQLServer@somedomain.com
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
#XX> Client Somebody@somedomain.com
Server: MSSQLSvc/MySQLServer@somedomain.com
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
#XX> Client Somebody@somedomain.com
Server: MSSQLSvc/MyAOAGListener@somedomain.com
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
I can't seem to figure out what the next step should be, and the infrastructure admins are stumped as well. How to proceed?
View 5 Replies
View Related
Sep 29, 2015
We have a large number of SSISDB packages running happily, connecting to our SQL Servers using ADO.Net or Sql Native Client, making their connection using NTLM. (We don't have our SQL Server SPNs correctly configured to support Kerberos).
The SSISDB packages are hosted on and run on a dedicated SQL server, different to the SQL Servers they are connecting to.
Very occasionally, the connection attempt is made using Kerberos instead of NTLM, and the connection attempt to sql server fails. (This is going by the Windows Security event log, which reveals a Kerberos login - a successful one at the Windows level - at the precise time that the calling agent job is informed of a connection timeout and fails, approx 23 seconds after the job starts).
The correct configuration of our SPNs is something we may wish to look into for security best practice, and would of course fix this. However, that may not be my decision to make.
View 2 Replies
View Related
