SQL AG中的Kerberos /双跃点/链接服务器 [英] Kerberos / double hop / linked servers in SQL AG

问题描述

大家好，我对SQL 2016 AO AG集群有一些挑战：

两个节点，每个节点3个实例，每个实例一个AG。

节点1

Inst 1 - AG 1

Inst 2 - AG 2

Inst 3 - AG 3

节点2

Inst 1 - AG 1

Inst 2 - AG 2

Inst 3 - AG 3

在每个实例上都有链接到所有其他AG的服务器，由于分布式事务和一些代理作业，我们需要使用它。

在node1上运行所有AG时node2，所有链接服务器工作正常，但是当在node2上运行例如AG2时，


然后从节点1链接服务器会给出错误消息"登录用户失败"NT AUTHORITY \ ANONYMOUS登录'。"。

我知道这是由于双跳/ kerberros问题，所以它是否存在一些关于如何设置这种情况的指南？

我已经创建了一些SPN，但是真的不确定它是否是正确的方法。例如，我应该使用端口号为两个节点创建SPN，还应该为AG名称创建SPN，使用什么端口nr？

两个节点使用单独的服务帐户。

解决方案

Hi niklasrene，

 

>>我已经创建了一些SPN，但是真的不确定是不是是正确的方法。例如，我应该使用端口号为两个节点创建SPN吗？我应该为AG名称创建SPN为
，使用什么端口nr？

 

如果您为每个ags创建一个监听器，请告诉我们。我建议你为ag听众注册spn。您可以通过侦听器链接服务器，而不必考虑哪个是
活动节点。有关详细信息，请参阅
创建链接服务器至AlwaysOn可用性组监听器

 

希望这可以帮到你。

最好的问候，

Dedmon Dai

Hi guys, I have some challenges with my SQL 2016 AO AG cluster:

Two nodes, 3 instances on each, one AG per instance.
Node1
Inst 1 - AG 1
Inst 2 - AG 2
Inst 3 - AG 3

Node2
Inst 1 - AG 1
Inst 2 - AG 2
Inst 3 - AG 3

On each instance there is linked servers to all other AGs, we need to use this due to distributed transactions and some agent jobs.

When running all AG's on either node1 or node2, all linked servers works fine, but when running for example AG2 on node2,
then linked server from node 1 gives error message "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.".

I know this is due to double hop/kerberros issues, so does it exist some guideline for how this kind of scenario should be set up?

i have created some SPNs, but really not sure if it is the correct way. For example, should I create SPN for both nodes, with the port numbers, and should I create SPN for the AG names as well, using what port nr?

The two nodes use separate service accounts.

解决方案

Hi niklasrene,

 

>>i have created some SPNs, but really not sure if it is the correct way. For example, should I create SPN for both nodes, with the port numbers, and should I create SPN for the AG names as well, using what port nr?

 

Would you please tell us if you create a listener for each of your ags. I suggest you register the spn for the ag listener. You can link the server by listener without concerning which one is the active node. For more details, please refer to Create Linked Server to AlwaysOn Availability Group Listener

 

Hope this could help you .

Best regards,

Dedmon Dai

这篇关于SQL AG中的Kerberos /双跃点/链接服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！