The situation:
I have SERVER1, SERVER2, ACCESSDB on SERVER3.
I have successfully created a linked server connection from SERVER1 to SERVER3's ACCESSDB.
I want to be able to access the linked server on SERVER1 from SERVER2 (aka the double hop).
When I log into SERVER2 I get the good ol – "dont have permissions" issue when I test the connection. I checked SERVER3 logs and it says the incoming connection is ANONYMOUS. I need to be able to pass some (any) credentials to SERVER3 from SERVER2.
NO, I cannot use a SQL account. I have to use Windows Auth.
Yes, I need to use KERBEROS and set up SPNs. That's where my question comes in. How do I properly set up KERBEROS and delegation?
I want to be able to run
select auth_scheme from sys.dm_exec_connections where session_id=@@SPID
from SERVER2 and have it return 'KERBEROS' and not 'NTLM'.
What specific commands do I need to run to properly set up KERBEROS/SPNs? How do I create this "chain"?
FYI – Both instances are NAMED instances on SQL2008 R2 Standard (x64).
Best Answer
Security Account Delegation
And for SQL Server 2000 but still valid too
Basically