Home » SQL Server to SQL Server linked server setup

SQL Server to SQL Server linked server setup

Solutons:


From My understanding of this issue it’s a “HOP” issue.

i.e. you are trying to use server A to relay your login details (with SSPI) to Server B.

In SQL Server 2005 they have added a whole load of security issues that make this harder than it should be. The words “Kerberos Authentication” will become the bain of most sys-admins/DBA’s lives. It effectively is used for pass-through authentication.

Here are the basics of what you need.
1) The servers (A and B) need to be set-up in Active Directory(AD) with delegation for Kerberos enabled. (this is set through your active directory admin panel)

2) The service account that your SQL Servers run under need to have delegation enabled also (this is also set through your active directory admin panel).
– if they are not running under a service account, you need to create one.

3) The Servers need to have SPN’s defined for the instance and the HOST and the machine name. (Using a tool called SetSPN in the windows support tools)

Support Tools (SetSPN is in this set)
http://www.microsoft.com/downloads/details.aspx?FamilyID=96a35011-fd83-419d-939b-9a772ea2df90&DisplayLang=en

(Overview of how to add an SPN)
http://technet.microsoft.com/en-us/library/bb735885.aspx

4) You may need to set your DB to “trustworthy”

ALTER DATABASE SET trustworthy on

5) After you have all of this done restart your instances.

6) Then try create your linked server again.

Finally you can test your connection to SQL Server.
This should work fine if you have it all configured correctly.

SELECT *
FROM OPENDATASOURCE('SQLNCLI',
    'Data Source=ServerB;Integrated Security=SSPI;'
    ).MASTER.dbo.syscolumns

This will tell you your connection authentication type.

select auth_scheme from sys.dm_exec_connections where session_id=@@SPID

You want to get ‘KERBEROS’ here and not ‘NTLM’.

It’s a slippy slope, KERBEROS and Pass-through delegation, stick with it and you will eventually figure it out.

References
Kerberos
http://blogs.msdn.com/sql_protocols/archive/2005/10/12/479871.aspx

http://blogs.msdn.com/sql_protocols/archive/2006/12/02/understanding-kerberos-and-ntlm-authentication-in-sql-server-connections.aspx

http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/the-biggest-mistake-serviceprincipalname-s.aspx

Other manifestations of the problem
http://www.sqlservercentral.com/Forums/Topic460425-359-1.aspx

http://msdn2.microsoft.com/en-us/library/aa905162(sql.80).aspx

http://msdn2.microsoft.com/en-us/library/ms189580.aspx

I hope this all helps.

You can also use SQL Server Management Studio (SSMS) to manage create linked servers as well if you’re more comfortable with the GUI. To do so:

  1. Launch SSMS and connect to one of the instances of SQL Server you want to link
  2. Expand “Server Objects” in Object Explorer
  3. Right click “Linked Servers” and choose “New Linked Server”
  4. On the “New Linked Server” dialog, select “SQL Server” as the Server Type and enter the instance of SQL Server you’d like to link to.
  5. On the “Security” page, select how users will authenticate from the current server to the linked server. You mentioned both servers are set up to use Windows Logins. If this is the case, under the section labeled “For a login not defined in the list above, connections will:” I would probably choose the option labeled “Be made using the Login’s current security context”.

Note that this assumes that users who have logins on server A also have logins on server B.

I’m going nuts with the same problem! I remember doing this with 2000 was always easy. I have been all over google and I can’t get this to work. Exact same setup, both servers running on a domain account, Windows auth.

I’m trying to use named pipes instead of TCP and at least I get a different error:

EXEC sp_addlinkedserver 
    @server="statler", 
    @srvproduct="", 
    @provider="SQLNCLI", 
    @datasrc="https://serverfault.com/questions/88962/np:statler", 
    @provstr="Integrated Security=SSPI"

-- Then I try this:
select net_transport, auth_scheme 
from statler.master.sys.dm_exec_connections 
where session_id=@@spid

/*

Getting closer, but still fails:

OLE DB provider "SQLNCLI" for linked server "statler" returned message 
    "Login timeout expired".
OLE DB provider "SQLNCLI" for linked server "statler" returned message 
    "An error has occurred while establishing a connection to the server. 
    When connecting to SQL Server 2005, this failure may be caused by the 
    fact that under the default settings SQL Server does not allow 
    remote connections.".
Msg 5, Level 16, State 1, Line 0
Named Pipes Provider: Could not open a connection to SQL Server [5]. 
OLE DB provider "SQLNCLI" for linked server "statler" returned message 
    "Invalid connection string attribute".

*/

This might have something to do with enabling names pipes, but I can connect via sqlcmd from server A to server B like this:

WALDORF:>  Sqlcmd.exe /E /Snp:statler

If I don’t used named pipes, and just do:

New Linked Server
Server Type: SqlServer
Security: be made using the current login's security context

I get this:

Login failed for user NT AUTHORITYANONYMOUS LOGIN

[Edit] I started a discussion on Sql Server Central about this. Basically, you have to do some complicated configuration related to Kerberos delegation to get this to work.

http://www.sqlservercentral.com/Forums/Topic574262-146-1.aspx

I decided to just create a single, limited Sql Login account to handle the linked queries. I hate resorting to that, but it seems more secure than the changes you have to make to get it working with windows auth.

Related Solutions

Calculate the sum with minimum usage of numbers

Here's a hint: 23 : 11 + 11+ 1 ( 3 magic numbers) 120: 110+ 10 (2 magic numbers) The highest digit in the target number is the answer, since you need exactly k magic numbers (all having 1 in the relevant position) in order for the sum to contain the digit k. So...

Why not drop the “auto” keyword? [duplicate]

Your proposal would be rejected on the basis of backward compatibility alone. But let's say for the sake of argument that the standards committee like your idea. You don't take into account the numerous ways you can initialize a variable widget w; // (a) widget...

Recursive to iterative using a systematic method [closed]

So, to restate the question. We have a function f, in our case fac. def fac(n): if n==0: return 1 else: return n*fac(n-1) It is implemented recursively. We want to implement a function facOpt that does the same thing but iteratively. fac is written almost in...

How can I match values in one file to ranges from another?

if the data file sizes are not huge, there is a simpler way $ join input1 input2 | awk '$5<$4 && $3<$5 {print $2, $5-$3+1}' B100002 32 B100043 15 B123465 3 This Perl code seems to solve your problem It is a common idiom: to load the entire...

Javascript difference between “=” and “===” [duplicate]

You need to use == or === for equality checking. = is the assignment operator. You can read about assignment operators here on MDN. As a quick reference as you are learning JS: = assignment operator == equal to === equal value and equal type != not equal !==...

Compiler complains about misplaced else [closed]

Your compiler complains about an misplaced else because, well, there is an else without a preceding if: // ... for (j=1; j<n-i; j++) { if(a[j]<=a[j+1]) { // ... } // END OF IF } // END OF FOR else { continue; } // ... The else in your code does not follow...

Bootstrap – custom alerts with progress bar

/* !important are just used to overide the bootstrap css in the snippet */ .alertContainer { border-radius: 0 !important; border-width: 0 !important; padding: 0 !important; height: auto !important; position: absolute !important; bottom: 15px !important; left:...

How to Garbage Collect an external Javascript load?

Yes, s.onload = null is useful and will garbage collect! As of 2019, it is not possible to explicitly or programmatically trigger garbage collection in JavaScript. That means it collects when it wants. Although there is cases where setting to null may do a GC...

Math programming with python

At first, what you are looking for is the modulo operator and the function math.floor() Modulo from wikipedia: In computing, the modulo operation finds the remainder after division of one number by another (sometimes called modulus). for example: 12%12=0...

Android slide over letters to create a word [closed]

Here some advice you can use: First for each cell you can create an object that represents the state of that cell: class Cell { char mChar; int row,column; boolean isSelected; } then you can create a 2D array of your cells Cell[][] mTable = ... For views you...

Sum two integers in Java

You reused the x and y variable names (hence the variable x is already defined in method main error), and forgot to assign the ints read from the Scanner to the x and y variables. Besides, there's no need to create two Scanner objects. public static void...

Extend three classes that implements an interface in Java

Using this simplified implementation of the library, using method() instead of M(): interface IFC { void method(); } class A implements IFC { public void method() { System.out.println("method in A"); }; } As akuzminykh mentions in their comment You'd write a...

How to set the stream content in PHPExcel? [closed]

Okey, First thing first PHPExcel_Worksheet_MemoryDrawing() can't solve your problem if you insist to use stream content and pass that to your worksheet your PDF will not render your image. But you can use `PHPExcel_Worksheet_Drawing()' if you want to render...