SQL 2008 R2 Reporting Services Double Hop SPN setup
Posted on 2011-10-19
I'm a system admin and know just a little about SQL. We just setup a SQL 2008 R2 reporting server that will connect to other SQL 2005/2008 databases to pull from. I understand the concept of the "double hop slash kerberos" issue that exists, but I'm not 100% sure how to configure it.
Some articles say that you need to do the setspn command for the service accounts AND also change the attribute on the computer account. Others say just the service account or just the computer account. Also, do I need to do this for the service accounts just on the reporting server? Or do I need to also do this for the database servers that the reporting server will connect to? My guess is that I just need to do this on the reporting server since that is the only server doing delegation or impersonation.
So my guess as to what I should do it this:
•setspn -a MSSQLSvc/SQL01:1433 acme\SqlReportingServices
•setspn -a MSSQLSvc/SQL01.acme.com:1433 acme\SqlReportingServices
•setspn -a http/RPTS01 acme\SqlReportingServices
setspn -a http/RPTS01.acme.com acme\SqlReportingServices
Do I also need to set the computer account to "Trust this computer for delegation to any service"? I've read that if you do it by machine you can't do load balancing, but we aren't doing that anyway.