Hi,
I have a requirment to configure kerberos constrained delegation to accommodate a 'double hop' from SQL to a cifs/SMB file share.
The scenario is:
- I have a SQL Server instance (2008 R2) running under account domain\SQLService
- I have a file share hosted on domain\fileServer to which domain\SQLService has full access
- The file share contains the file test.dll
- I need to be able to run the statement CREATE ASSEMBLY test from '\\fileServer\share\test.dll' from a remote ssms session, hence need kerberos double hop to allow the authentication.
I have got this working by setting the delegation settings for domain\SQLService to 'Trust this user for delegation to any service (Kerberos only)' so I know the SPN and permissions etc.. are correctly set.
However, I need to get this working using constrained delegation, i.e. to configure the explicit services for the delegation rather than allowing any.
So I have configured the delegation settings for domain\SQLService to specify 'Trust this user for delegation to specified services only' and specified 'cifs/fileServer'.
This is resulting in failure.
I have enabled kerberos logging on the middle tier (SQL Server) and performed a network trace.
The logging shows event ID 3 with:
Description:
A Kerberos error message was received:
on logon session
Client Time:
Server Time: 22:34:54.0000 3/20/2013 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc0000225 KLIN(0)
Client Realm:
Client Name:
Server Realm: TEST.LOCAL
Server Name: cifs/fileServer.test.local
Target Name: cifs/fileServer.test.local@TEST.LOCAL
Error Text:
File: 9
Line: 12be
Error Data is in record data.
I have also performed a netmon trace with the working scenario (deleagtion set to allow any service) and this shows the kerberos token for cifs/fileServer.test.local in the securityBlob.
I cannot see any other service names referenced so am at a lose as why this isn't working with the constrained configuration?
Any help/advise as to what I am missed here ?
Thanks,
Phil