Sql-server – linked server be made using the login’s current security context

Whilst liasing with Microsoft on a different issue (paid support request) i happened to ask them about this & they confirmed the unhashed password is passed to the remote server but the mechanism in which the SQL Engine does this is "hidden and cannot be captured" - but suffice to say, the login is not done using the hash.

Here is there full response:

How does the SQL Server provide the correct password (when dealing with non-windows credentials) to the other server when all the server has is a Hash?

Answer: If connected to the local server using SQL Server Authentication, login name and password will be used to connect to the remote server. In this case a login with the exact same name and password must exist on the remote server.

Be made using the login's current security context:

Specify that a connection will be made using the current security context of the login for logins not defined in the list. If connected to the local server using Windows Authentication, your windows credentials will be used to connect to the remote server. If connected to the local server using SQL Server Authentication, login name and password will be used to connect to the remote server. In this case a login with the exact same name and password must exist on the remote server.

How does the SQL Server provide the correct password (when dealing with non-windows credentials) to the other server when all the server has is a Hash?

Answer: Login name and password is passed to the remote server, this mechanism/task is handled by the SQL Engine which is hidden and cannot be captured.

If SQL only has a hash available - can it logon to the remote server using the hash? Or is the original (un-hashed) password kept in the user’s session / memory for the entire duration of their connection which SQL can then retrieve and pass to the remote server for login? If the server can login with a hash instead of the password – can this be done in normal logins or is it purely an internal feature of linked servers?

Answer: HASH cannot be used to login to the SQL server, SQL Engine is responsible for handling login process and we don’t have much documentation around this.

Every machine in the chain from your desktop to the server you are calling has to be Kerberos enabled for the trust to advance past the first hop. So, yes the server needs to trust the user for delegation.

The "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'" almost always indicates a delegation problem.

• Your Windows Account must have access to both ServerA and ServerB.
• You must not have the setting "Account is sensitive and cannot be delegated."
• Both ServerA and ServerB must have their own SPN registered.
• The servers must be TCP/IP or named pipes connected.

The SQL Server Books Online article that offers some more detail is "Configuring Linked Servers for Delegation": http://msdn.microsoft.com/en-us/library/ms189580(v=sql.105).aspx