 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
SQL Server Forum / Other Technologies / Service Broker / August 2008Service Broker not communicating between 2 instances
Hi, I am trying to get a sample service broker interaction working. I have followed the steps described in http://msdn.microsoft.com/en-us/library/bb839483.aspx. The initiator and the target are on different machines. When I send the message, SQL server says "Command(s) completed successfully." But when I check on the target, no messages have arrived on in the Target Queue. How can I debug the issue? Thanks, Yash Hi Yash, There's a couple of things you can do for starters. 1. If you have SQL Server 2008, you can run the ssbdiagnose.exe utility. This utility can diagnose configuration problems and also problems in a running system. 2. Check sys.transmission_queue on the sender's database. If the messages are there each message has a transmission_status field that may contain a reason why the message failed. 3. Run SQLProfiler on sender and receiver machines, selecting the Broker profiler events. There's a whitepaper I wrote with an example of what a cross-instance profiler trace should look like on each machine and some other troubleshooting info at http://www.microsoft.com/technet/prodtechnol/sql/2005/scaleout.mspx Hope this helps, Bob Beauchemin SQLskills > Hi, > [quoted text clipped - 12 lines] > Thanks, > Yash Hi, When I check the profiler on the Target server, I see Connection handshake failed. The login 'NT AUTHORITY\ANONYMOUS LOGON' does not have CONNECT permission on the endpoint. State 84. As described in the article at http://msdn.microsoft.com/en-us/library/bb839483.aspx, I have created a Target user on Target server and associated it with a certificate. I copied the .cer file to the Initiator and created a TargetUser : Use InstInitiatorDB ; DROP USER TargetUser; CREATE USER TargetUser WITHOUT LOGIN; DROP CERTIFICATE InstTargetCertificate; CREATE CERTIFICATE InstTargetCertificate AUTHORIZATION TargetUser FROM FILE = N'D:\Personal\EXPTS\SQL2K5\ServiceBroker\MultiInstance\MultiInstance \Certificates\InstTargetCertificate.cer' GO On the Initiator, the TargetBinding is created as CREATE REMOTE SERVICE BINDING TargetBinding TO SERVICE N'//TgtDB/2InstSample/TargetService' WITH USER = TargetUser; The reverse was done on the Target side. What could be the problem? Thanks, Yash > Hi Yash, > [quoted text clipped - 31 lines] > > Thanks, > > Yash That means that authentication for endpoint security (the service broker endpoint) isn't working. The items you're looking at are for conversation security (Service Broker has two kinds of security). Looking at the demo, in Lesson 1 and Lesson 2 in the CREATE ENDPOINT DDL statement, they are using AUTHENTICATION = WINDOWS. In order for Windows authentication to work with Service Broker endpoints, not only do "both computers have to be in the same domain or trusted domains" as the article says, but the SQL Server service account principal (the Windows user running the SQL Server service) on both machines must have a login on the other machine (a SQL Server login using integrated security) and have each login must have CONNECT privilege on the other's ENDPOINT. So that's likely why authentication is failing. So, find out which domain users are running both SQL Servers and give them each a login with CONNECT privilege on the other instance's ENDPOINT. Or use certificates for ENDPOINT authentication instead. Hope this helps, Bob Beauchemin SQLskills > Hi, > [quoted text clipped - 68 lines] >> > Thanks, >> > Yash Initiator and Target are running SQL Server using the Local System account. Both computers are in the same domain. The initiator has a Database user called InitiatorUser. I believe a certificate created in Initiator should be linked to this user. The .cer file should be sent to the Target and an InitiatorUser created there along with a certificate created from the .cer file. When the message is sent to the Target, this user from the Initiator will be used. Please correct me if I am wrong. How do we use certificates for ENDPOINT authentication? In the example at http://msdn.microsoft.com/en-us/library/bb839483.aspx, why do they create certificates? Thanks, Yash > That means that authentication for endpoint security (the service broker > endpoint) isn't working. The items you're looking at are for conversation [quoted text clipped - 90 lines] > >> > Thanks, > >> > Yash Hi Yash, With Windows Auth on the endpoint, it won't work to use Local System as the service account because Local System has no privileges outside of its own machine (no network identity). Using the same domain user as a service account on both instances would work. Using different domain users or the Network Service account as the service account would work if each domain user/other machine's network service had a login on the other instance and CONNECT privilege on each other's endpoint. This article http://msdn.microsoft.com/en-us/library/ms166077.aspx shows how to allow ENDPOINT security as certificates. Note that the example shows setting up one side of the authentication; if you are setting up both sides, you need to do this on both sides. Note that you must create a login and a user in the master database because users own certificates and logins have CONNECT privilege. In the example at http://msdn.microsoft.com/en-us/library/bb839483.aspx, they create certificates for server broker conversation security (this is distinct from endpoint security). This is used for authorization in the database in the target's side. Note that, on the target, SEND permission on the target service is granted to the user (in the target database) associated with the certificate (or the target database). This certificate was imported from a cerificate file for a certificate created in the initiator's database. Remote databases don't know about users created in other databases/instances, so when the initiator sends a message it's encrypted by the certificate owned by the user specified in the remote service binding/user that owns the service. On the target side, the user that owns the same certificate (and only that user) has SEND permission on the target service. Other messages/conversations will be rejected. Cheers, Bob Beauchemin SQLskills > Initiator and Target are running SQL Server using the Local System > account. Both computers are in the same domain. The initiator has a [quoted text clipped - 120 lines] >> >> > Thanks, >> >> > Yash After implementing ENDPOINT authentication through certificates, it works perfectly. Thanks Bob for all the support. > Hi Yash, > [quoted text clipped - 157 lines] > >> >> > Thanks, > >> >> > Yash |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.