locked
question of database server,for one user can use impersonate with delegation of kerberos but the other server cannot.thank u very much RRS feed

  • Question

  • Hi

        may i ask a question

        i have asp net project and the deployed server is srv-deploy.this srv-deploy should access 2 different database server,we say srv-db1 and srv-db2.

       then the same asp net project, for srv-db1  it works well,can use impersonate.but for srv-db2,the logined user is always 'NT AUTHORITY\ANONYMOUS LOGON'.

      could u pls help me ?thank u very much(by the way for "srv-deploy."i have given delegation to delegation of kerberos)

    thank u very much in advance

    martin

      

    Monday, December 2, 2013 10:00 AM

Answers

  • Hi Martinwang1985,

    The issue should be a Kerberos double-hop issue that may be caused by lacking of Service Principal Name (SPN) or duplicate SPNs for SQL Server service on srv-db2 server. When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that instance, connects to the service, and presents the SPN for the service to authenticate.

    To address this issue, you need to manually register the SPN for the SQL Server service on srv-db2 server. For more information, please see:
    http://technet.microsoft.com/en-us/library/ms191153.aspx

    For the possible duplicate SPNs issue, you can check the duplicate SPNs, and delete the duplicate SPN. For more information, please see:
    http://blogs.msdn.com/b/psssql/archive/2009/02/13/searching-for-duplicate-spn-s-got-a-little-easier.aspx

    Regards,


    Mike Yin
    TechNet Community Support

    • Marked as answer by Mike Yin Thursday, December 12, 2013 2:20 PM
    Wednesday, December 4, 2013 7:32 AM

All replies

  • the error of event view is "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Token-based server access validation failed with an infrastructure "
    Monday, December 2, 2013 10:03 AM
  • and i 'd like to add another point is:

    when in srv-deploy,in localhost ,the program can access both srv-db1 and srv-db2,but in the other machine it can only access srv-db1

    Monday, December 2, 2013 1:46 PM
  • Hi Martinwang1985,

    The issue should be a Kerberos double-hop issue that may be caused by lacking of Service Principal Name (SPN) or duplicate SPNs for SQL Server service on srv-db2 server. When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that instance, connects to the service, and presents the SPN for the service to authenticate.

    To address this issue, you need to manually register the SPN for the SQL Server service on srv-db2 server. For more information, please see:
    http://technet.microsoft.com/en-us/library/ms191153.aspx

    For the possible duplicate SPNs issue, you can check the duplicate SPNs, and delete the duplicate SPN. For more information, please see:
    http://blogs.msdn.com/b/psssql/archive/2009/02/13/searching-for-duplicate-spn-s-got-a-little-easier.aspx

    Regards,


    Mike Yin
    TechNet Community Support

    • Marked as answer by Mike Yin Thursday, December 12, 2013 2:20 PM
    Wednesday, December 4, 2013 7:32 AM
  • yes.it was problem of SPN

    thank u very much

    best regards

    Thursday, December 12, 2013 4:13 PM