From My understanding of this issue it’s a “HOP” issue.
i.e. you are trying to use server A to relay your login details (with SSPI) to Server B.
In SQL Server 2005 they have added a whole load of security issues that make this harder than it should be. The words “Kerberos Authentication” will become the bain of most sys-admins/DBA’s lives. It effectively is used for pass-through authentication.
Here are the basics of what you need.
1) The servers (A and B) need to be set-up in Active Directory(AD) with delegation for Kerberos enabled. (this is set through your active directory admin panel)
2) The service account that your SQL Servers run under need to have delegation enabled also (this is also set through your active directory admin panel).
– if they are not running under a service account, you need to create one.
3) The Servers need to have SPN’s defined for the instance and the HOST and the machine name. (Using a tool called SetSPN in the windows support tools)
Support Tools (SetSPN is in this set)
(Overview of how to add an SPN)
4) You may need to set your DB to “trustworthy”
ALTER DATABASE SET trustworthy on
5) After you have all of this done restart your instances.
6) Then try create your linked server again.
Finally you can test your connection to SQL Server.
This should work fine if you have it all configured correctly.
SELECT * FROM OPENDATASOURCE('SQLNCLI', 'Data Source=ServerB;Integrated Security=SSPI;' ).MASTER.dbo.syscolumns
This will tell you your connection authentication type.
select auth_scheme from sys.dm_exec_connections where session_id=@@SPID
You want to get ‘KERBEROS’ here and not ‘NTLM’.
It’s a slippy slope, KERBEROS and Pass-through delegation, stick with it and you will eventually figure it out.
Other manifestations of the problem
I hope this all helps.
You can also use SQL Server Management Studio (SSMS) to manage create linked servers as well if you’re more comfortable with the GUI. To do so:
- Launch SSMS and connect to one of the instances of SQL Server you want to link
- Expand “Server Objects” in Object Explorer
- Right click “Linked Servers” and choose “New Linked Server”
- On the “New Linked Server” dialog, select “SQL Server” as the Server Type and enter the instance of SQL Server you’d like to link to.
- On the “Security” page, select how users will authenticate from the current server to the linked server. You mentioned both servers are set up to use Windows Logins. If this is the case, under the section labeled “For a login not defined in the list above, connections will:” I would probably choose the option labeled “Be made using the Login’s current security context”.
Note that this assumes that users who have logins on server A also have logins on server B.
I’m going nuts with the same problem! I remember doing this with 2000 was always easy. I have been all over google and I can’t get this to work. Exact same setup, both servers running on a domain account, Windows auth.
I’m trying to use named pipes instead of TCP and at least I get a different error:
EXEC sp_addlinkedserver @server="statler", @srvproduct="", @provider="SQLNCLI", @datasrc="https://serverfault.com/questions/88962/np:statler", @provstr="Integrated Security=SSPI" -- Then I try this: select net_transport, auth_scheme from statler.master.sys.dm_exec_connections where session_id=@@spid /* Getting closer, but still fails: OLE DB provider "SQLNCLI" for linked server "statler" returned message "Login timeout expired". OLE DB provider "SQLNCLI" for linked server "statler" returned message "An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections.". Msg 5, Level 16, State 1, Line 0 Named Pipes Provider: Could not open a connection to SQL Server . OLE DB provider "SQLNCLI" for linked server "statler" returned message "Invalid connection string attribute". */
This might have something to do with enabling names pipes, but I can connect via sqlcmd from server A to server B like this:
WALDORF:> Sqlcmd.exe /E /Snp:statler
If I don’t used named pipes, and just do:
New Linked Server Server Type: SqlServer Security: be made using the current login's security context
I get this:
Login failed for user NT AUTHORITYANONYMOUS LOGIN
[Edit] I started a discussion on Sql Server Central about this. Basically, you have to do some complicated configuration related to Kerberos delegation to get this to work.
I decided to just create a single, limited Sql Login account to handle the linked queries. I hate resorting to that, but it seems more secure than the changes you have to make to get it working with windows auth.