RE: security account delegation

RE: security account delegation

 

  

Man, I gotta remember to slow down and read more thouroughly... I just
saw the part about a local system account. I'd be surprised if it did
work at all using a local system account, considering there is no
network user context for it.

-----Original Message-----
From: Gordon Rayburn
Sent: Thursday, December 28, 2006 9:54 AM
To: LazyDBA Discussion
Subject: RE: security account delegation

The SPN _should_ be required due to the usage of kerberos as the
security protocol...not much happens in kerberos without an SPN being
set.

Also, the point of delegation for linked servers is to allow the server
to forward user authentication across the wire. By doing this, you
should be required to have an SPN set for the service, otherwise it's
got no user context on the network (as far as kerberos is concerned).

It's pretty easy to create/delete SPN's if you're a DA. Give it a shot
without and see....

-----Original Message-----
From: Mordechai Danielov
[mailto:mssqldba-ezmlmshield-x29392979.[Email address protected]
Sent: Thursday, December 28, 2006 9:48 AM
To: LazyDBA Discussion
Subject: RE: security account delegation

Thanks. I read that BOL article a bunch of times. The issue is that I
saw an article in SQL magazine that says that MS documentation is wrong,
and you don't need to assign the SPN at all, and only need to set up
delegation for the server if you are using a local system account to
start the SQL service.

-----Original Message-----
From: Gordon Rayburn
[mailto:mssqldba-ezmlmshield-x5695929.[Email address protected]
Sent: Thursday, December 28, 2006 12:44 PM
To: LazyDBA Discussion
Subject: RE: security account delegation

Service account & the server must be set for delegation.

See the "Security Account Delegation" topic in BOL.

-----Original Message-----
From: Mordechai Danielov
[mailto:mssqldba-ezmlmshield-x62863629.[Email address protected]
Sent: Thursday, December 28, 2006 8:56 AM
To: LazyDBA Discussion
Subject: security account delegation

Hello everyone,

I'm trying to figure out what's the best way to set up security
delegation so that windows users can access data across linked servers.
I'm finding contradictory information on the subject. What's your
experience - is it enough to enable security delegation for the SQL
service account, or is it also necessary to do this for this servers, or
is it also necessary to explicitly set up an SPN? Thanks.

Mordechai



---------------------------------------------------------------------
TO REPLY TO EVERYBODY , PLEASE CLICK REPLY-ALL, NOT JUST REPLY To post a
dba job: http://jobs.lazydba.com To subscribe : http://www.LazyDBA.com
To unsubscribe: http://www.lazydba.com/unsubscribe.html




------------------------------------------------------------------------
----
--
NOTICE OF CONFIDENTIALITY
The information contained in this communication and any accompanying
document(s) is proprietary and confidential and is intended solely for
the above-named individual or entity. If you are not the intended
receiver, recipient or entity, you are advised that any distribution,
copying, disclosure or communication of this email is strictly
prohibited. If you have received this email in error, please contact me
at the telephone number listed above or 858.716.1500.
========================================================================
====
==



---------------------------------------------------------------------
TO REPLY TO EVERYBODY , PLEASE CLICK REPLY-ALL, NOT JUST REPLY To post a
dba job: http://jobs.lazydba.com To subscribe : http://www.LazyDBA.com
To unsubscribe: http://www.lazydba.com/unsubscribe.html



---------------------------------------------------------------------
TO REPLY TO EVERYBODY , PLEASE CLICK REPLY-ALL, NOT JUST REPLY To post a
dba job: http://jobs.lazydba.com To subscribe : http://www.LazyDBA.com
To unsubscribe: http://www.lazydba.com/unsubscribe.html




------------------------------------------------------------------------------
NOTICE OF CONFIDENTIALITY
The information contained in this communication and any accompanying document(s) is proprietary and confidential and is intended solely for the above-named individual or entity. If you are not the intended receiver, recipient or entity, you are advised that any distribution, copying, disclosure or communication of this email is strictly prohibited. If you have received this email in error, please contact me at the telephone number listed above or 858.716.1500.
==============================================================================


MS Sql Server LazyDBA home page