Linked Servers – Group Mambership | SQL Server Performance Forums

SQL Server Performance Forum – Threads Archive

Linked Servers – Group Mambership

I have 2 servers with SQL 2000 sp3a on win2K. Due to the double hop issue with windows authentication, in the "linked server Properties" window in the SQL console (MMC) I have mapped the local login: "myDomainme" (NT login) to "linkSA" (sql login).
Everything is good. BUT…when I map a group to it:
"myDomainmyGroup" (NT GROUP) to "linkSA" (sql login)
the linked server queries fail saying the usual… Server: Msg 18456, Level 14, State 1, Line 1
Login failed for user ‘NT AUTHORITYANONYMOUS LOGON’.
Does anyone have a workaround other than mapping each individual NT login? If you can point me to a good article on how to bypass completely the NTLM authentication and use the Kerberos instead as to avoid the double hop issue that would be good too. Thx in advance.
NTLM authentication does not support double hop because security tokens and hashes are only valid for the computer where they are generated. Workout the following:
Map the clients on server A to a standard security login on server B, by using either the sp_addlinkedsrvlogin stored procedure or the Security tab of the Linked Server Properties dialog box in Enterprise Manager. If you are running the distributed query on an instance of SQL Server that is running on a Microsoft Windows 2000-based computer, configure SQL Server to listen for client requests by using the Named Pipes Server network library, instead of using the TCP/IP Server network library or the Multiprotocol Server network library. Satya SKJ
This posting is provided “AS IS” with no rights for the sake of knowledge sharing.
Thanks Satya for your prompt response. I’m not sure you got my question right though… I already setup "clients on server A to a standard security login on server B."<br />The problem is that one of the clients on server A is a NT group and this blows it up. When it’s an individual NT login it works.<br />I read the Microsoft article about the double hop fix and I rather do the login mapping rather then the Named Pipes since this would create other sorts of headaches <img src=’/community/emoticons/emotion-1.gif’ alt=’:)‘ /><br /><br />Anyone already tried to map a NT group login to a sql login setting up a linked server?
Hey, did you ever figure this out? We seem to be having he same problem here. Thanks, Jackie
What parameters have been applied when sp_addlinkedsrvlogin used?
Check whether BUILTIN/ADMINISTRATORS group has been removed from SQL server. Satya SKJ
Contributing Editor & Forums Moderator
This posting is provided “AS IS” with no rights for the sake of knowledge sharing.