Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
DB Engine
SQL ServerMSDESQL Server CE
Services
Analysis (Data Mining)Analysis (OLAP)DTSIntegration ServicesNotification ServicesReporting Services
Programming
CLRConnectivitySQLXML
Other Technologies
ClusteringEnglish QueryFull-Text SearchReplicationService Broker
General
Data WarehousingPerformanceSecuritySetupSQL Server ToolsOther SQL Server Topics
DirectoryUser Groups
Related Topics
MS AccessOther DB ProductsMS Server Products.NET DevelopmentVB DevelopmentJava DevelopmentMore Topics ...
SQL Server Forum / Other Technologies / Service Broker / June 2006

Tip: Looking for answers? Try searching our database.

Problems with service broker network access

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Alex Petrovsky - 23 Jun 2006 12:37 GMT
Hello,

I have some problems with service broker network access by using windows
authentication. The source and target instances are started under Local
System. According to the BookOnline:

"Note:

If both instances run as the same domain account, then the instances can
always communicate using Windows Authentication for transport security. If
the instances run as the LocalSystem account, the login name is
MachineName$, and Kerberos mustbe available on the network to use the
machine account."

I create login with MachineName$ name, but the message send fails.

SQL Profiler represents the following:

Connection handshake failed. The login 'NT AUTHORITY\ANONYMOUS LOGON' does
not have CONNECT permission on the endpoint. State 84.

I tried to create a 'NT AUTHORITY\ANONYMOUS LOGON' login and gave grant
'connect to endpoint' to it, the message was successfully delivered to the
target.
Reply to this Message
Remus Rusanu [MSFT] - 23 Jun 2006 23:29 GMT
MachineName$ accounts work only with Kerberos, and Kerberos requires Service
Principal Names (SPN) to be registered. The SPNs requested by Service Broker
are of the form MSSqlSvc/<machineName>:<port> . To register/unregister SPNs
use a program like SETSPN.EXE
(http://www.microsoft.com/downloads/details.aspx?familyid=5fd831fd-ab77-46a3-9cfe
-ff01d29e5c46&displaylang=en)

Say you want to communicate between machine REMUSR01 and machine REMUSR02
and the endpoints are configured to use port 4022, you'd have to register
these two SPNs:
SETSPN -A MSSqlSvc/REMUSR01:4022 REMUSR01
SETSPN -A MSSqlSvc/REMUSR02:4022 REMUSR02

The name used in the SPN must coincide with the name used in the route
address.

To troubleshoot Kerberos problems, follow the guidelines from this document:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/secu
rity/tkerberr.mspx

Signature

This posting is provided "AS IS" with no warranties, and confers no rights.

HTH,
~ Remus Rusanu

SQL Service Broker
http://msdn2.microsoft.com/en-us/library/ms166043(en-US,SQL.90).aspx

> Hello,
>
[quoted text clipped - 20 lines]
> 'connect to endpoint' to it, the message was successfully delivered to the
> target.
Reply to this Message
Alex Petrovsky - 26 Jun 2006 12:57 GMT
It works!!! Thanks!

> MachineName$ accounts work only with Kerberos, and Kerberos requires
> Service Principal Names (SPN) to be registered. The SPNs requested by
[quoted text clipped - 39 lines]
>> 'connect to endpoint' to it, the message was successfully delivered to
>> the target.
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.