none
Kerberos problems on Sql 2012 Cluster

    Question

  • Hi,

    I'm having problems configuring kerberos for Sql Server 2012 on windows server 2008 r2.

    Its a two node cluster with named instances configured to listen on a dedicated port.

    The service account is configured to use delegation and I have setup the following spn's

    MSSQLsvc/NETWORKNAME.FQDN:2375                  SERVICEACCOUNTNAME        

    MSSQLsvc/NETWORKNAME.FQDN:INSTANCENAME   SERVICEACCOUNTNAME 

    MSSQLSvc/NETWORKNAME:INSTANCENAME        SERVICEACCOUNTNAME 

    MSSQLSvc/NETWORKNAME:2375      SERVICEACCOUNTNAME 

    When i try and connect both locally the connection seems to default to NTLM.

    Any ideas why this may be occuring?


    Friday, April 13, 2012 11:28 AM

Answers

  • Creating a spin with -s is supposed to avoid te problem.  I see you refer to connecting 'locally' and getting NTLM.   Running the following code:

    select auth_scheme 
    from sys.dm_exec_connections 
    where session_id = @@spid

    I have a SQL Server for which we have Kerberos configured:

    • Run SSMS on the server machine - the query connection returns NTLM
    • Run SSMS on my desktop computer - the query connection returns KERBEROS

    Is that what you were seeing?  If so then that is normal, but if both locations return NTLM then you have a problem.

    There is also this document written by Ming Lu to detail common Kerberos problems.
    http://blogs.msdn.com/b/sql_protocols/archive/2006/12/02/understanding-kerberos-and-ntlm-authentication-in-sql-server-connections.aspx

    It was written in 2006, so not fully up-to-date, but it covers many possibilities.

    RLF

    • Marked as answer by Stephanie Lv Tuesday, April 24, 2012 8:23 AM
    Friday, April 13, 2012 5:34 PM

All replies