Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Linked Server Security and AD domain

174 views
Skip to first unread message

Scott

unread,
Jul 7, 2003, 1:59:56 PM7/7/03
to
I cannot get the Linked Server NT Authentication to work
for an AD account. I am running SQL 7 on NT 4 servers. We
are beginning our migration to AD. If we use existing
domain accounts domain1/user1 and check impersonate, it
works fine. But when I use AD/user1 I get the
message 'Login failed for user /'. The AD/user1 account
can log onto all SQL servers individually using NT
Authentication just fine, but not through Linked Server.

Bill Cheng [MSFT]

unread,
Jul 8, 2003, 9:42:45 AM7/8/03
to
Hi Scott,

I am afraid that I am not very clear about the detailed problem on your
side. Could you post the exact steps to reproduce the problem?

What is the difference between "domain1/user1" and "AD/user1"? Is "AD" a
domain?


This posting is provided "AS IS" with no warranties, and confers no rights.

Regards,

Bill Cheng
Microsoft Support Engineer
--------------------
| Content-Class: urn:content-classes:message
| From: "Scott" <seg...@qwest.com>
| Sender: "Scott" <seg...@qwest.com>
| Subject: Linked Server Security and AD domain
| Date: Mon, 7 Jul 2003 10:59:56 -0700
| Lines: 8
| Message-ID: <037201c344b1$92dd6970$a101...@phx.gbl>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Thread-Index: AcNEsZLdSxS+gMuwTeK4w6lHlWpaOA==
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Newsgroups: microsoft.public.sqlserver.security
| Path: cpmsftngxa09.phx.gbl
| Xref: cpmsftngxa09.phx.gbl microsoft.public.sqlserver.security:2508
| NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
| X-Tomcat-NG: microsoft.public.sqlserver.security

Scott

unread,
Jul 8, 2003, 11:19:40 AM7/8/03
to
domain1 is our original NT domain. It is the domain that
the servers are members of as well. AD is the Active
Directory domain where the user has been migrated to.

I have added both domain1/user1 and AD/user2 as logins on
SQLServer1 and SQLServer2 using NT Authentication. They
can access both Enterprise Manager and Query Analyzer
directly just fine.

I have set up SQLServer2 as a linked server on SQLServer1.
On the properties/security tab I pulldown domain1/user1
and check impersonate and pulldown AD/user2 and check
impersonate. The result for domain1/user1 is a successful
connection and positive query results. The result for
AD/user2 is 'Logon failed for user /'.

>.
>

Jasper Smith

unread,
Jul 8, 2003, 6:01:14 PM7/8/03
to
Nt does not support 3 hop authentication that would be
required for client->Server1->Server2. You need Win2000
and kerberos (and valid SPN's for the servers) in order to
pass the client credentials through to Server2. You will need
to set up explicit login mappings

--
HTH

Jasper Smith (SQL Server MVP)

I support PASS - the definitive, global
community for SQL Server professionals -
http://www.sqlpass.org

"Scott" <seg...@qwest.com> wrote in message
news:037201c344b1$92dd6970$a101...@phx.gbl...

Bill Cheng [MSFT]

unread,
Jul 9, 2003, 12:31:40 PM7/9/03
to
Hi Scott,

I agree with Jasper. You could also check the following article:
238477 PRB: Message 18456 from a Distributed Query
http://support.microsoft.com/?id=238477


This posting is provided "AS IS" with no warranties, and confers no rights.

Regards,

Bill Cheng
Microsoft Support Engineer
--------------------
| Content-Class: urn:content-classes:message
| From: "Scott" <seg...@qwest.com>
| Sender: "Scott" <seg...@qwest.com>

| References: <037201c344b1$92dd6970$a101...@phx.gbl>
<#wKPRbVR...@cpmsftngxa09.phx.gbl>
| Subject: RE: Linked Server Security and AD domain
| Date: Tue, 8 Jul 2003 08:19:40 -0700
| Lines: 73
| Message-ID: <0eea01c34564$59f991c0$a501...@phx.gbl>


| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000

| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300

| Thread-Index: AcNFZFn5h7jOglYrRoStxcM0cboskQ==
| Newsgroups: microsoft.public.sqlserver.security
| Path: cpmsftngxa09.phx.gbl
| Xref: cpmsftngxa09.phx.gbl microsoft.public.sqlserver.security:2528
| NNTP-Posting-Host: TK2MSFTNGXA13 10.40.1.165
| X-Tomcat-NG: microsoft.public.sqlserver.security

0 new messages