Reputation: 226
Resolving Kerberos vs NTLM Authentication Issue in Cross-Domain SQL Server Connection
I am encountering an issue with Kerberos authentication in a multi-domain Microsoft SQL Server setup. Here are the details of my configuration:
- Microsoft SQL Server is hosted on a server that is part of the Windows Active Directory
xyz.comdomain. - Host1, also in the
xyz.comdomain. - Host2, part of the Windows Active Directory
abc.comdomain, which has a two-way trust relationship withxyz.com. - A separate DNS server registers the SQL Server endpoint A record as
sqlserver-instance.differentdomain.com. - I registered the Service Principal Name (SPN)
MSSQLSvc/sqlserver-instance.differentdomain.comin thexyz.comdomain.
- Connecting to sql server from SSMS on Host1, can connect to SQL Server using Kerberos authentication.
- Connecting to sql server from SSMS on Host2, defaults to NTLM authentication instead of Kerberos when connecting to SQL Server.
Despite this configuration, when Host2 tries to connect to sqlserver-instance.differentdomain.com, it uses NTLM instead of Kerberos.
Is there a solution that allows Host2 to use Kerberos authentication to connect to SQL Server while maintaining the endpoint sqlserver-instance.differentdomain.com? Additionally, I found a guide on configuring Kerberos with realms for Java applications (https://learn.microsoft.com/en-us/sql/connect/jdbc/using-kerberos-integrated-authentication-to-connect-to-sql-server?view=sql-server-ver16). Can a similar approach be applied for non-Java environments, or is there an alternative method for my situation?
Upvotes: 1
Views: 1941
Answers (1)
Reputation: 16542
Try one of the following to map the domain to the correct realm (note: Kerberos realm, not AD domain; realms are almost always upper-case as seen in klist):
Manual
ksetup /addhosttorealmmap .differentdomain.com XYZ.COM.The corresponding Group Policy setting.
In Windows, typically it's not the client itself but the client's KDC responsible for mapping service domains to Kerberos realms. (The client requests a "local" ticket and potentially gets a referral to another realm.) So if possible, I would attempt to deploy this mapping to the domain controllers instead of client machines.
Upvotes: 0
Related Questions
- MSSQL Server SPN Connections: Linux to MSSQL Server (setspn, kinit, kerberos authentication)
- How to add Active Directory user group as login in SQL Server
- SQL Server 2008 Windows Auth Login Error: The login is from an untrusted domain
- SQL Server Domain Authentication over VPN
- Connecting to SQL Server with pyodbc, FreeTDS, and Kerberos authentication on macOS
- How to connect to local instance of SQL Server 2008 Express
- Force a Kerberos or NTLM logon to an Active Directory domain
- Using Kerberos authentication for SQL Server 2008