S
susiedba
hey
I work in a SSRS environment; I also do some web dev.. and we keep on
having authentication problems getting a token to pass from one user to
the webserver; and then to the database server.
this is called 'double-hop' authentication.. right?
I'm of the understanding that I need to check 'trust for delegation'
and run SetSpn on the ServiceAccount for my database server for it to
be the recipient of a double-hop token.
Isn't that correct?
Ok.. now let's fast forward.. We got a bunch of SSRS Servers; and for
most of these; these guys put the SSRS Server on the same machine as
the database server.
Then they go to copy the report from the localserver to another; and
they bitch about how it doesn't have permissions.. it shows up and says
'user Null' or whatever-- it just sounds to me like a simple double-hop
problem.
I've tried to explain this to a half dozen clients over the years--
about the web authentication thing.. .because everywhere I go; people
use SQL authentication or they put the DB Server on the same machine as
the webserver.. or they make you launch the SSAS processing job from
the local machine.. instead of being able to connect from my desktop to
a SSAS machine to a 3rd machine- the db server.
It just seems to me like 99% of the companies out there dont know how
to do double-hop authentication.
And I just swear to god... everyone i tell this to theyre like 'well
were not a kerberos shop so we dont need to do that'
Does anyone have any REAL CLEAR guidelines for when we should use the
double-hop 'trust for delegation' and 'setspn' concept?
a) we DONT have kerberos
b) we have a half dozen servers and these guys put SSRS on the main db
server
(I assume it's because they dont speak double-hop)
c) at one of my last jobs; we had to terminal into the local db server
to do anything because we didn't have double-hop.. seemed like we were
throwing the baby out with the bathwater; giving people perms to the
terminal services on the db server; it just seems like overkill
d) I want to be able to go from DesktopA and hit ServerA and from
ServerA use a linked server to ServerB. That spells 'i need
double-hop' right?
thanks guys
-Susie
I work in a SSRS environment; I also do some web dev.. and we keep on
having authentication problems getting a token to pass from one user to
the webserver; and then to the database server.
this is called 'double-hop' authentication.. right?
I'm of the understanding that I need to check 'trust for delegation'
and run SetSpn on the ServiceAccount for my database server for it to
be the recipient of a double-hop token.
Isn't that correct?
Ok.. now let's fast forward.. We got a bunch of SSRS Servers; and for
most of these; these guys put the SSRS Server on the same machine as
the database server.
Then they go to copy the report from the localserver to another; and
they bitch about how it doesn't have permissions.. it shows up and says
'user Null' or whatever-- it just sounds to me like a simple double-hop
problem.
I've tried to explain this to a half dozen clients over the years--
about the web authentication thing.. .because everywhere I go; people
use SQL authentication or they put the DB Server on the same machine as
the webserver.. or they make you launch the SSAS processing job from
the local machine.. instead of being able to connect from my desktop to
a SSAS machine to a 3rd machine- the db server.
It just seems to me like 99% of the companies out there dont know how
to do double-hop authentication.
And I just swear to god... everyone i tell this to theyre like 'well
were not a kerberos shop so we dont need to do that'
Does anyone have any REAL CLEAR guidelines for when we should use the
double-hop 'trust for delegation' and 'setspn' concept?
a) we DONT have kerberos
b) we have a half dozen servers and these guys put SSRS on the main db
server
(I assume it's because they dont speak double-hop)
c) at one of my last jobs; we had to terminal into the local db server
to do anything because we didn't have double-hop.. seemed like we were
throwing the baby out with the bathwater; giving people perms to the
terminal services on the db server; it just seems like overkill
d) I want to be able to go from DesktopA and hit ServerA and from
ServerA use a linked server to ServerB. That spells 'i need
double-hop' right?
thanks guys
-Susie