locked
SQL Login failures after implementing Kerberos authentication RRS feed

  • Question

  • Hello All,

    We have been working to implement Kerberos authentication between our BizTalk 2006 R2 servers our clustered SQL 2005 servers.  Everything running on W2K3 server.

    In each envionment (DEV, QA....), whenever we flip the switch and move to kerberos, we also have Login failures when running the 1 or 2 out-of-the-box backup jobs to backup the various BizTalk databases.  We have the BizTalk databases on the A-node of the cluster.  BAM databases are on the
    B-nodes. 

    SQL runs under it's own domain service account. 

    Currently, when the "TrackedMessages_Copy_BizTalkMsgBoxDb" backup job runs, we get the following errors:

    Event Type: Warning
    Event Source: SQLAgent$INST1
    Event Category: (3)
    Event ID: 208
    Date:  8/7/2012
    Time:  3:23:01 PM
    User:  N/A
    Computer: ECCDBPRDSQL561A
    Description:
    The description for Event ID ( 208 ) in Source ( SQLAgent$INST1 ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: TrackedMessages_Copy_BizTalkMsgBoxDb, 0xC4B354C5ADB32D4DA3C497656142322F, Failed, 2012-08-07 15:23:00, The job failed.  The Job was invoked by Schedule 11 (Schedule).  The last step to run was step 1 (Purge)..

    Event Type: Failure Audit
    Event Source: MSSQL$INST2
    Event Category: (4)
    Event ID: 18456
    Date:  8/7/2012
    Time:  3:22:00 PM
    User:  NT AUTHORITY\ANONYMOUS LOGON
    Computer: ECCDBPRD561B
    Description:
    The description for Event ID ( 18456 ) in Source ( MSSQL$INST2 ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: NT AUTHORITY\ANONYMOUS LOGON,  [CLIENT: 19.106.Y.Z].

    SQL logs show the 18456 errors, with state usually be 11, which means a valid login account, but no access to an unidentified SQL resource.


    We have not been able to determine the root cause of the errors.  As we worked up through our environments, we've deleted and recreated the accounts in SQL, restarted all services, set/reset the various roles and permissions in SQL, etc.  Still, we have not been able to come across a definitive resolution in all cases.  How can we identify what resource the account does not have access to?  Why is it reporting failed access for NT Authority\Anonymous Login?

    Has anyone identified a cause for these errors?

    Thanks in advance,

    DetRich


    DetRich

    Tuesday, August 7, 2012 7:30 PM