none
Linked Servers & Windows 10 Credential Guard RRS feed

  • Question

  • Hello,
    Does anybody know to configure Linked Servers to work with Windows 10 Credential Guard?
    I get Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' after enabling Credential Guard on our clients.
    I can no longer connect to the linked server from my Windows 10 client.
    However, the connection works from Windows Server or if I disable Credential Guard.

    Linked Server is configured as:
    @srvproduct=N'SQL Server'
    @useself=N'True',@locallogin=NULL,@rmtuser=NULL,@rmtpassword=NULL

    Regards,
    /Fari


    • Edited by Fari_Sah Friday, June 2, 2017 11:41 AM
    Friday, June 2, 2017 11:34 AM

All replies

  • This question looks familiar...did you ask previously, or on a different site?

    Credential guard is blocking it...the only workaround I know of is to set up a Privileged Access Workstation



    22 years of database experience, most with SQL Server. Please 'Mark as answered' those posts that helped you.

    Friday, June 2, 2017 12:21 PM
  • Hi Fari,

    We are currently looking into this issue and will give you an update as soon as possible.

    Thank you for your understanding and support.

    Regards,
    Lin

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, June 5, 2017 7:53 AM
    Moderator
  • Hi,

    Yes Kevin, I did ask this question on sqlservercentral.

    PQW is a workaround. We have a workaround as well, connection via an server. We could as well use SQL loing connection. We don't like either solution. 

    However, PAW could be a security path we may take later on.


    • Edited by Fari_Sah Wednesday, June 7, 2017 5:05 AM
    Wednesday, June 7, 2017 5:02 AM
  • Hi and thanks Lin :)
    Wednesday, June 7, 2017 5:02 AM
  • Hi Fari_sah,

    Credential Guard requires a different authentication method for your double-hoop authentication

    You could try to enable KCD(Kerberos constrained delegation) as credential guard only works with KCD

    Refer to :

    Applications will break if they require:

    Kerberos DES encryption support
    Kerberos unconstrained delegation
    Extracting the Kerberos TGT
    NTLMv1

    https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-requirements

    Thursday, August 10, 2017 5:57 AM
  • Thanks for the reply :) I will get back to you after checking this up.

     

    Thursday, August 31, 2017 11:24 AM
  • Sorry, 

    What do you mean by "

    You could try to enable KCD(Kerberos constrained delegation) as credential guard only works with KCD"

    Do we need to enable Credential Gaurds on SQL Server server for it to work?

    Regards,

    /Fari

     

    Friday, September 1, 2017 8:24 AM
  • Hi!

    This is our current setting for SQL Server service account (could not uplad an image before verification!)

    Is this property Kerberos unconstrained delegation or Kerberos constrained delegation.  

    • Trust this user for delegation to any service (Kerbros only) 

    Regards,

    /Fari

    Friday, September 1, 2017 12:46 PM
  • Hi!

    This is our current setting for SQL Server service account (could not uplad an image before verification!)

    Is this property Kerberos unconstrained delegation or Kerberos constrained delegation.  

    • Trust this user for delegation to any service (Kerbros only) 

    Regards,

    /Fari

    We're in the same boat after enabled credential guard. Are there any solutions to this other than setting up a PAW?
    Wednesday, September 13, 2017 2:36 PM
  • Hi,

    We got it to work at last. Changed delegation property for SQL Server service
    in AD.

    • Trust this user for delegation to specified services only.
    • Use Kerberos only
    • Added the target SQL Server service for the SQL Server we are linking to.
    • Chose service type (MSSQLSvc)

    It starts working after a while (we waited 10-15 minutes).

    It works in 9 of 12 instances! It works in 3 of/4 clusters. Cannot figure out why it doesn't work in that cluster however!

    But it only works if we connect directly to the server (server 1, server 2, server 3). It doesn’t work if we user the listener name or the dns name (we use availably groups).

    It stops working if we connect to databases using the listener och dns name.

    If a replica is primary at server1 and we use the listener or dns name connecting to it, linked server stops working at server1. It starts working (after a while) if we disconnect from the database using listener/dns.

    We haven’t figured out the solution for this problem yet.

    Regards,

    /Fari

    Wednesday, September 13, 2017 3:20 PM