Windows authentication to SQL involving mutliple domains
In a nutshell we have a windows user account from one domain (userdomain) using remote desktop of an app server in a different domain (appdomain). The user then attempts to Windows authenticate to a SQL server (appdomain) on the same domain as the app server but gets a message saying "account is from an untrusted domain and cannot be used with windows authentication."
The user account has permissions in the target SQL server and can be connected to directly from the user's PC (userdomain) via windows authentication.
The app server and target SQL server are Windows 2003 standard edition, the SQL server being SQL 2005 standard edition.
The connection attempts are via ODBC using the "sql server" driver.
There is another SQL server (SQL 2008 ent) on windows 2008R2 Enterprise (appdomain) which can be connected to via windows authentication from the app server remote desktop. Also, if the user account uses remote desktop onto the windows 2008R2 server, it can then successfully windows authenticate to the original SQL server. With this and the PC connection, it seems to imply that the relevant forest/domain trusts are in place and that the issue is around the target SQL server in some way.
The SQL server service is running as a domain account. There are SPNs for the SQL server , when I do : setspn -L" appdomain\SQLServiceAccoun
MSSQLSVC/hostname:1433
MSSSQLSVC/hostname.appdoma
MSSQLSVC/hostname
MSSSQLSVC/hostname.appdoma
NB. users which are in appdomain i.e. the same as the app server and the sql server can connect to the SQL server from remote desktop on the app server without issue.
The user account has permissions in the target SQL server and can be connected to directly from the user's PC (userdomain) via windows authentication.
The app server and target SQL server are Windows 2003 standard edition, the SQL server being SQL 2005 standard edition.
The connection attempts are via ODBC using the "sql server" driver.
There is another SQL server (SQL 2008 ent) on windows 2008R2 Enterprise (appdomain) which can be connected to via windows authentication from the app server remote desktop. Also, if the user account uses remote desktop onto the windows 2008R2 server, it can then successfully windows authenticate to the original SQL server. With this and the PC connection, it seems to imply that the relevant forest/domain trusts are in place and that the issue is around the target SQL server in some way.
The SQL server service is running as a domain account. There are SPNs for the SQL server , when I do : setspn -L" appdomain\SQLServiceAccoun
MSSQLSVC/hostname:1433
MSSSQLSVC/hostname.appdoma
MSSQLSVC/hostname
MSSSQLSVC/hostname.appdoma
NB. users which are in appdomain i.e. the same as the app server and the sql server can connect to the SQL server from remote desktop on the app server without issue.
ASKER
Is this delegation? I didn't think this use of ODBC was delegation but just windows authentication. If nothing has specifically been anabled for delegation, and this is delegation, I'm not sure why it is able to connect to a different server (the SQL 2008 enterprise server). Users of the same domain as the app server & sql server work fine with no delegation options set.
Could you please clarify what makes this a delegation issue?
Regards.
Could you please clarify what makes this a delegation issue?
Regards.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The comment I posted was the resolution. There were no other replies\comments that could be accredited to this.
more at:
http://technet.microsoft.com/en-us/library/cc961952.aspx