Testing Kerberos double-hop RRS feed

  • Question

  • Hi,
    I'm trying to simulte a kerberos double-hop between 2 servers using TSQL. Our application relies heavily on it working properly, so I want to explicitly check the double-hop works.

    My set-up:
    I have 2 servers; server1 and server2
    On server1, there's a linked server called 'CAD' pointing to server2
    On server2, there's a linked server called 'REP' pointing to server1

    In code, to check whether kerberos double-hop works between these two servers, I run the following from server1

    EXEC('SELECT TOP 1 * FROM REP.mytestdb.sys.databases') AT [CAD]

    Basically, at the remote server, I'm querying back across a linked server to myself.

    However, this always seems to generate a 'Login failed for user 'NT Authority\Anonymous Logon' message. However, if I log on to a 3rd server, i.e. server3, connect to server1 and run:

    SELECT TOP 1 * FROM CAD.mytestdb.sys.databases

    I get results back. However, in my solution, I can only use server1 and server2 to perform the check.

    Is there a better way to simulate/check a double hop.

    Thanks, Andrew


    Andrew Bainbridge
    SQL Server DBA

    Please click "Propose As Answer" if a post solves your problem, or "Vote As Helpful" if a post has been useful to you

    Monday, April 2, 2012 1:08 PM

All replies

  • Hi Andrew,

    According to your description, it is a single hop scenario when the client application hosts on one of two servers, but it can also use Kerberos authentication. For double hop scenario, it is required to separate the client from two servers which related with linked server. Please pay attention to this blog elaborated on this topic, you can follow steps to implement and test double hop setting: SQL Linked Server Query failed with “Login failed for user …”.

    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Stephanie Lv

    TechNet Community Support

    Tuesday, April 3, 2012 1:49 AM
  • Hi Stephanie,

    Thanks for the link.  The author's tested a conventional single hop/double hop set-up, with 3 machines available for testing.  I understand the blog, but I have only 2 servers available to me, so I'm trying to spoof server1 as the client.  For example, from Server1, connect to server2 and query across a linked-server (REP) back to server1.  In the query I posted above, I was expecting that (breaking the query down):

    EXEC () AT CAD --Server1 to Server2 : 1 hop

    'SELECT TOP 1 * FROM REP.mytestdb.sys.databases'  --Server2 to Server1 : 2nd hop

    I agree, normally you'd use server3 to server2 to server1 (or something), but I only have the 2 servers to simulate this with.

    Strangely enough, I put this same concept into another one of our environments and it appeared to work.  I'm wondering now if the dev environment's got something wrong with it.

    I think there's 2 hops in my scenario - but are you saying that because I'm simulating it on 2 servers, kerberos/delegation works differently?

    Thanks for your time looking at this.


    Andrew Bainbridge
    SQL Server DBA

    Please click "Propose As Answer" if a post solves your problem, or "Vote As Helpful" if a post has been useful to you

    Tuesday, April 3, 2012 9:59 AM