We have 2 SQL Server 2008 R2 machines.
A user is running a query on Server A that joins a table in Server B. In the query he is using linked server to point Server B.
User has access to Server B Database in question. He is a db_owner there. but when he runs the query it fails.
Msg 18456, Level 14, State 1, Line 1
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
The linked server's security is set to "Be made using the login's current security context".
Since the user has db_owner access to Server B database, I would expect this query work from Server A. It doesn't.
How can give this user access to run this query on Server A.
Thanks for your help.
Best Answer
A number of comments asked if Kerberos was configured correctly, but I do not see a direct response to that issue. Based on the comments that you make I suspect Kerberos is not set up correctly.
Greatly simplified description:
If
UserAccount
is directly logged ontoServer A
then a linked server toServer B
is one hop away and theUserAccount
's authentication will be recognized onServer B
. This works with or without Kerberos delegation.Is
UserAccount
is directly logged onto his desktop and accessesServer A
thenServer A
is one hop away from the desktop and theUserAccount
's authentication will be recognized onServer A
. However, if from the desktop he runs a query againstServer A
that uses a linked server to accessServer B
that is two hops away from his desktop. Without Kerberos (or some similar service) theUserAccount
's delegation cannot make the second hop and, despite the rights granted onServer B
, will not authenticate onServer B
.This is all about how NTLM and Kerberos work. There is a blog from a few years ago that offers some details on Linked Servers and NTLM or Kerberos authentication:
http://blogs.msdn.com/b/sql_protocols/archive/2006/08/10/694657.aspx
One edited quote is: "In a single-hop setting, windows NTLM authentication, which is available if all machines are windows, is sufficient for delegation; while in a double-hop setting, Kerberos authentication is necessary for the user’s credential to cross machine boundaries from the client to the linked server."
Now, suppose that you do indeed have Kerberos configured properly and still are mystified by the behavior. In that case you might need to check into whether there is a duplicate SPN. If so that will need to be corrected.
The following blog discusses duplicate SPNs and other Kerberos issues: http://blogs.technet.com/b/askds/archive/2013/07/01/interesting-findings-on-setspn-x-f.aspx
Note: Some people just fall back to using Named Pipes instead of TCP/IP, but this is not a recommended solution any more.
Bottom line: Resolve the authentication delegation problem and everything should work.