We are going to enable Kerberos to allow double hop authentication between our SQL Servers. Our company is nearly 24 hours which leaves a very small window for server restarts. Is it possible to enable Kerberos without requiring a reboot of our Domain Controllers or our SQL servers?
Asked
Active
Viewed 1,259 times
1
-
1You're changing authentication schemes on a 24-hour company without a test environment? – pboin Jul 13 '11 at 19:11
-
point taken! I'll have to check with the hardware/network folks about this. – Clownish Carnage Jul 14 '11 at 12:04
1 Answers
1
Kerberos is already enabled, it's how active directory works, what I assume your talking about is enabling delegation from your web server(or other application server) to your SQL server, this does not require a reboot.
That said, as pboin mentioned, I would always try this in a test environment first.
Christopher_G_Lewis
- 3,647
- 21
- 27
Sam Cogan
- 38,158
- 6
- 77
- 113
-
Certainly a valid point. This actually did come up in discussions. I'm not sure how well we'll be able to create a test environment to mimic this. But it's definitely worth exploring more. – Clownish Carnage Jul 14 '11 at 12:05
-
Our authentication is defaulting to NTLM. We are looking to default to Kerberos. Leaving the current connections as NTLM is OK. Another note: Most of our current SQL authentication is via SQL and not through AD. So, my assumption is that our main systems will not have a problem. Currently my main concern is SQL to SQL (and custom calling apps or Access Databases). – Clownish Carnage Jul 14 '11 at 12:16
-
You likely have this query already: select session_id, net_transport, protocol_type, auth_scheme, client_net_address from sys.dm_exec_connections where session_id = @@SPID Useful in trouble-shooting authentication issues over linked servers. – jl. Jul 14 '11 at 19:55