How to run an R script (which has database connection using integrated windows authentication) on a remote machine under local username?
Consider the following scenario:
- Database server: DBServer
- R Server: RServer
- Orchestrator Server: Server1
We have following R Script (DB.r):
lib.directory = "D:\\RTest"
install.packages("RODBC", repos = "http://cran.us.r-project.org", lib = lib.directory)
library(RODBC, lib.loc = lib.directory)
db.string <- "driver={ODBC Driver 13 for SQL Server};server=DBServer;database=Databse1;trusted_connection=Yes;"
db.channel <- odbcDriverConnect(db.string)
close(db.channel)
Server1 executs the R script remotely on R Server using the following code:
PsExec.exe \\RServer "C:\Program Files\R\R-3.4.3\bin\Rscript.exe" "D:\RTest\DB.r"
I get the following error:
[RODBC] ERROR: state 28000, code 18456, message [Microsoft][ODBC Driver 13 for SQL Server][SQL Server]Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
How can we resolve this error without sending username and password as part of PsExec?
We are open to use any alternative way to replace PsExec.
The problem is not your code. You're seeing the classic kerberos "double-hop" problem. While Server1 knows your identity when you're logged onto your workstation using integrated Windows authentication also known as iwa, the RServer doesn't know your identity because what is passed to it from Server1 is not your identity token, but the machine account credentials of Server1 (Local System). Since anonymous access is probably not allowed onto RServer, the connection fails with: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
In this scenario, theRServer is basically "Server2" as depicted in the below screenshot. From the perspective of your client workstation, it is the 2nd hop away from you.
To make this work, you'll need to configure Kerberos delegation on Server1 for it to be able to pass any identity token to RServer so the connections will succeed. Note that this identity token will not be a username or password, but instead a Kerberos ticket. You configure configure Kerberos delegation on the account running the process that will be initiating the connection from Server1 to RServer. That account will need to have an spn. Read through the steps in this article to get a understanding of this problem and how to configure an SPN: Understanding Kerberos Double Hop
Further reference:
Web App getting Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
- How to put infinity and -infinity on a graph with plot
- Is there a way to make R beep/play a sound at the end of a script?
- Understanding why grepl doesn't appear to be correctly identifying words
- How to modify legend symbol for geom_text using key_glyph?
- In R, how to check if a data.table contains a column and if it doesnt, create it and fill it with NA?
- Adabag package in R
- Group variables into toplevel variables within tbl_summary()
- Scrape Home Run Leaderboard from Baseball Savant using R
- Little hack for ggplot -- an easy way to add a text with the real means and standard deviation when using lines or bars
- How to retrieve Common Table Expressions (CTEs) as a R list?
- R Calculate multiple aggregations on several variables
- How to force shiny to update UI before reactive process finishes
- How to change GitHub Actions OS from macOS to Windows or Ubuntu?
- Assigndifferent paletes to different geoms but same scale
- R: Error "incorrect number of subscripts on matrix" when trying boot with roc
- How do I reference a function parameter inside a data.table with a column of the same name?
- ggraph: adjusting text label position on circular dendrogram
- List all months between two dates in R
- How to get column-wise summary statistics with missing codes?
- How to display only integer values on an axis using ggplot2
- How do I plot two geom_textlines + one geom_bar in a single ggplot?
- Convert Canadian Postal Code to Longitude and Latitude
- Adding percentage instead of observed counts on y axis on R figure
- Compute the Beta function with negative arguments
- Long to wide format based on variable suffixes in tidyverse in R
- ggplot2 0.9.0 automatically dropping unused factor levels from plot legend?
- Testing async ExtendedTask with shinytest2
- Dynamic geom_text() pastes of labels across facets in fact_wrap()
- Check if a directory is empty in R
- Read large number of small files efficiently in R