Click here to get back home

Can anyone get me out of SSPI / Kerberos / NTLM hell ???
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Can anyone get me out of SSPI / Kerberos / NTLM hell ??? Al 12-07-2005
Posted by Al on December 7, 2005, 8:56 am
Please log in for more thread options
 This is to do with SQL Server 2005, but I think it is a more general issue.

We have two SQL Servers, but starting with bog-standard Domain accounts and
both running in Windows Authentication mode. Either account it trust for
delegation, nor are the machines, as we do not need delegation and don't
which to turn it on.

When trying to attach to SQL Server #1, with Windows using TCP/IP, get a
connection and we can see that is it using NTLM for authentication.

When trying to attach to SQL Server #2, using TCP/IP, get an error, "Cannot
generate SSPI context". When trying to attach using Named Pipes, get a
connection and again we can see that it is using NTLM for authentication.

SQL Server #2 does have TCP/IP enabled. It does not have (as far as I can
tell) IP Security configured.

We are using Active Directory 2003, running in Native Mode.

What would allow SQL Server #1 to allow NTLM over TCP/IP, but not SQL Server
#2.

All ideas most welcome

Posted by Roger Abell [MVP] on December 7, 2005, 9:22 am
Please log in for more thread options
 Are the two machines in the same OU ?
There are policy settings that can impact whether NTLM, v1, v2,
are available, and also policies that control the digital communications
signing requirements. If the two are in different OU, or if there are
any GPOs that have their application security group filtered, or if
these policies are left to the local policies to set and they are there
set differently, any one of those could explain your situation.

Assuming that you have looked at the SQL network server and
client library settings and these are in agreement, and that as far as
you can tell the two SQL Server services are otherwise configured
in same/similar way, then it could well be different policy settings.
You could try using resultant set of policy to see the effective
settings on the two servers and compare, particularly the policy
settings in the innermost Security section of Computer policy that
impact NTLM level and signing, and impact network server and
network client behaviors.
> This is to do with SQL Server 2005, but I think it is a more general
> issue.
>
> We have two SQL Servers, but starting with bog-standard Domain accounts
> and
> both running in Windows Authentication mode. Either account it trust for
> delegation, nor are the machines, as we do not need delegation and don't
> which to turn it on.
>
> When trying to attach to SQL Server #1, with Windows using TCP/IP, get a
> connection and we can see that is it using NTLM for authentication.
>
> When trying to attach to SQL Server #2, using TCP/IP, get an error,
> "Cannot
> generate SSPI context". When trying to attach using Named Pipes, get a
> connection and again we can see that it is using NTLM for authentication.
>
> SQL Server #2 does have TCP/IP enabled. It does not have (as far as I can
> tell) IP Security configured.
>
> We are using Active Directory 2003, running in Native Mode.
>
> What would allow SQL Server #1 to allow NTLM over TCP/IP, but not SQL
> Server
> #2.
>
> All ideas most welcome



Posted by Al on December 7, 2005, 11:40 am
Please log in for more thread options
The machines are both in the same OU. So I'm guessing that the same GPO is
being applied to both machines.

I have just found the "RSoS" snap-in. Had no idea the thing existed.

Could you let me have the names of the policies that effect Kerberos and
NTLM ?

Thanks


"Roger Abell [MVP]" wrote:

> Are the two machines in the same OU ?
> There are policy settings that can impact whether NTLM, v1, v2,
> are available, and also policies that control the digital communications
> signing requirements. If the two are in different OU, or if there are
> any GPOs that have their application security group filtered, or if
> these policies are left to the local policies to set and they are there
> set differently, any one of those could explain your situation.
>
> Assuming that you have looked at the SQL network server and
> client library settings and these are in agreement, and that as far as
> you can tell the two SQL Server services are otherwise configured
> in same/similar way, then it could well be different policy settings.
> You could try using resultant set of policy to see the effective
> settings on the two servers and compare, particularly the policy
> settings in the innermost Security section of Computer policy that
> impact NTLM level and signing, and impact network server and
> network client behaviors.
> > This is to do with SQL Server 2005, but I think it is a more general
> > issue.
> >
> > We have two SQL Servers, but starting with bog-standard Domain accounts
> > and
> > both running in Windows Authentication mode. Either account it trust for
> > delegation, nor are the machines, as we do not need delegation and don't
> > which to turn it on.
> >
> > When trying to attach to SQL Server #1, with Windows using TCP/IP, get a
> > connection and we can see that is it using NTLM for authentication.
> >
> > When trying to attach to SQL Server #2, using TCP/IP, get an error,
> > "Cannot
> > generate SSPI context". When trying to attach using Named Pipes, get a
> > connection and again we can see that it is using NTLM for authentication.
> >
> > SQL Server #2 does have TCP/IP enabled. It does not have (as far as I can
> > tell) IP Security configured.
> >
> > We are using Active Directory 2003, running in Native Mode.
> >
> > What would allow SQL Server #1 to allow NTLM over TCP/IP, but not SQL
> > Server
> > #2.
> >
> > All ideas most welcome
>
>
>

Posted by Remus Rusanu [MSFT] on December 7, 2005, 12:46 pm
Please log in for more thread options
I suspect Server #2 has an SPN registered for the SQL Server, but the
account running the server has no priviledges over that SPN. Check what SPNs
are registered for the two machines. Use a tool like setspn.exe (available
for download from microsoft download center).

This article is very usefull on troubleshooting these kind of issues:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

--
This posting is provided "AS IS" with no warranties, and confers no rights.

HTH,
~ Remus Rusanu

SQL Service Broker
http://msdn2.microsoft.com/en-us/library/ms166043(en-US,SQL.90).aspx


> This is to do with SQL Server 2005, but I think it is a more general
> issue.
>
> We have two SQL Servers, but starting with bog-standard Domain accounts
> and
> both running in Windows Authentication mode. Either account it trust for
> delegation, nor are the machines, as we do not need delegation and don't
> which to turn it on.
>
> When trying to attach to SQL Server #1, with Windows using TCP/IP, get a
> connection and we can see that is it using NTLM for authentication.
>
> When trying to attach to SQL Server #2, using TCP/IP, get an error,
> "Cannot
> generate SSPI context". When trying to attach using Named Pipes, get a
> connection and again we can see that it is using NTLM for authentication.
>
> SQL Server #2 does have TCP/IP enabled. It does not have (as far as I can
> tell) IP Security configured.
>
> We are using Active Directory 2003, running in Native Mode.
>
> What would allow SQL Server #1 to allow NTLM over TCP/IP, but not SQL
> Server
> #2.
>
> All ideas most welcome



Posted by Al on December 8, 2005, 4:48 am
Please log in for more thread options
Thanks Remus, you were spot on with that.
We hadn't noticed that when we bounced the SQL instance that it was logging
that it couldn't unregister the SPN.

Not 100% sure how we got into that state, but not important.

Thanks again,

Al

"Remus Rusanu [MSFT]" wrote:

> I suspect Server #2 has an SPN registered for the SQL Server, but the
> account running the server has no priviledges over that SPN. Check what SPNs
> are registered for the two machines. Use a tool like setspn.exe (available
> for download from microsoft download center).
>
> This article is very usefull on troubleshooting these kind of issues:
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> HTH,
> ~ Remus Rusanu
>
> SQL Service Broker
> http://msdn2.microsoft.com/en-us/library/ms166043(en-US,SQL.90).aspx
>
>
> > This is to do with SQL Server 2005, but I think it is a more general
> > issue.
> >
> > We have two SQL Servers, but starting with bog-standard Domain accounts
> > and
> > both running in Windows Authentication mode. Either account it trust for
> > delegation, nor are the machines, as we do not need delegation and don't
> > which to turn it on.
> >
> > When trying to attach to SQL Server #1, with Windows using TCP/IP, get a
> > connection and we can see that is it using NTLM for authentication.
> >
> > When trying to attach to SQL Server #2, using TCP/IP, get an error,
> > "Cannot
> > generate SSPI context". When trying to attach using Named Pipes, get a
> > connection and again we can see that it is using NTLM for authentication.
> >
> > SQL Server #2 does have TCP/IP enabled. It does not have (as far as I can
> > tell) IP Security configured.
> >
> > We are using Active Directory 2003, running in Native Mode.
> >
> > What would allow SQL Server #1 to allow NTLM over TCP/IP, but not SQL
> > Server
> > #2.
> >
> > All ideas most welcome
>
>
>

Similar ThreadsPosted
NTLM issue with W2K3 April 28, 2006, 10:47 am
NTLM Auth (weird) January 23, 2008, 4:15 pm
my firewall block ntlm authentification June 18, 2008, 4:56 am
Logging, Login API and SSPI January 24, 2007, 4:31 pm
SPNEGO / SSPI / SSO / GSSAPI Questions September 12, 2006, 11:11 am
Group SIDs from SSPI token on Windows CE July 14, 2005, 5:39 pm
INTERACTIVE group missing after SSPI auth October 28, 2005, 12:54 pm
INTERACTIVE group missing after SSPI auth November 2, 2005, 3:16 pm
sharePoint and kerberos November 6, 2005, 5:35 pm
IPSec and Kerberos September 27, 2006, 10:17 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap