0

I'm trying to solve a mystery. We have two SQL Server instances residing on the same server. SQL instance A is linked to SQL instance B. Connections are made using pass through authentication. The calling service is on a different server. No settings were put in place for Kerberos delegation, no SPN, no trust for delegation, etc. However, we weren't getting authentication failures when running distributed queries through the linked server connection. This makes no sense to me unless having the two instances on a single server results in a single hop scenario (from calling client service to server on which both instances reside). The underlying Kerberos config is now in place, so Kerberos is being used successfully, I'm just trying to understand how the connection would have worked before I made the necessary changes. Does anyone have any insight into this? Thanks.

T-Heron
  • 5,385
  • 7
  • 26
  • 52
AndreaD
  • 11
  • Are the instances running under the same user account, by any chance? – Jeroen Mostert Apr 05 '18 at 15:03
  • Yes, the SQL Server service accounts for both instances are configured to use the same AD account. But, the credentials that get passed through from the client are not the same as the SQL Server service account credentials. – AndreaD Apr 05 '18 at 17:29
  • Yes, I know, but my working hypothesis (and I'm not a Kerberos expert, so I could definitely be wrong :-)) is that the user's locally cached ticket (with which they've logged in to server A) is accessible to both instances since they're on the same machine with the same credentials, and LSASS isn't distinguishing by process but by user token (which is the same for both servers). As such, it wouldn't be considered a hop at all since the second instance doesn't need to go to the domain to verify. I'm too lazy to explicitly set up this configuration to test it, though. – Jeroen Mostert Apr 05 '18 at 18:34
  • You put forth an interesting and plausible theory, Jeroen. Thanks for taking the time to think through this. – AndreaD Apr 05 '18 at 19:49

1 Answers1

2

The number of 'hops' is given by the number of distinct 'Local Security Authority' involved. When you had two SQL Server instances on the same machine there was only one LSA involved, so no delegation was required.

Remus Rusanu
  • 288,378
  • 40
  • 442
  • 569