Manualshelf

4.1.0 HP PolyServe Software for Microsoft SQL Server administration guide (T5392-96074, October 2010)

ManualsBrandsHP ManualsSoftwareHP StorageWorks Clustered Gateway Device Management Software
131132133134135136137138139140
When a SQL client uses integrated security (SSPI) to connect to a SQL Server, the
SQL driver authenticates the client via the strong network authentication, Kerberos
first. If Kerberos is not available, NTLM authentication is then used to authenticate
the client. Kerberos authentication is used only if the following prerequisites are met:
Both the client and server computers are running Windows 2000 SP3 or higher.
Both the client and server computers are part of the same domain or trusted do-
mains.
The SQL Server service SPN is registered with Active Directory.
The SQL Server instance is listening on TCP/IP.
The SQL client is connecting over TCP/IP.
When a SQL client uses integrated security (SSPI) to connect to a SQL Server, the
SQL driver authenticates the client via the strong network authentication, Kerberos
first. If Kerberos is not available, NTLM authentication is then used to authenticate
the client. Kerberos authentication is used only if the following prerequisites are met:
Both the client and server computers are running Windows 2000 SP3 or higher.
Both the client and server computers are part of the same domain or trusted do-
mains.
The SQL Server service SPN is registered with Active Directory.
The SQL Server instance is listening on TCP/IP.
The SQL client is connecting over TCP/IP.
Kerberos uses a domain unique identifier, Service Principal Name (SPN), to identify
a resource within a network. An SPN for SQL Server is composed of three components:
ServiceClass: the class of service. MSSQLSvc is for SQL Server.
Host: the fully qualified domain name for the computer running the SQL Server
service.
Port: the TCP port that the SQL Server service is listening on.
An example of a valid SPN for SQL Server is:
MSSQLSvc/vqar13s11.ad1.polyserve.com:50004
When connecting to SQL Server via Kerberos, the client SQL driver uses the Winsock
API (gethostbyname and gethostbyaddr) to resolve the SQL Server fully qualified
name to form an SPN for the target SQL Server. Whether the SPN is valid depends
entirely on DNS name/address resolution. If the client-formed SPN is invalid, the
SSPI interface retries by looking up an SPN in Active Directory. If an SPN does not
exist in AD for the SQL Server, Kerberos authentication is not used and the logon
switches to an NTLM authentication.
Troubleshooting134