Search code examples

SSPI sql access fails in remote powershell request due to double-hop failure, constrained delegation

We are trying to run an automated install from serverA on remote serverB which needs to talk to sql serverC using windows authentication.

Invoke-Command -ComputerName serverB -ScriptBlock {

    $conn = new-object System.Data.SqlClient.SqlConnection 'Data Source=ServerC;Initial Catalog=master;Integrated Security=SSPI'
    } finally {
        $conn | Remove-SQLConnection

} -Credential $cred 

However it fails returning:

Exception calling "Open" with "0" argument(s): "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."

We worked around this issue using:

Invoke-Command -ComputerName serverB -ScriptBlock { Register-PSSessionConfiguration -Name Ipswitch -RunAsCredential $using:cred -Force  } -Credential $cred

But we would prefer to use constrained kerberos delegation:

We tried using the steps to perform kerberos delegation below:

#run on serverC
Add-WindowsFeature RSAT-AD-PowerShell

Import-Module ActiveDirectory

$serverB = Get-ADComputer serverB
$serverC = Get-ADComputer serverC

# Grant resource-based Kerberos constrained delegation
Set-ADComputer -Identity $serverC -PrincipalsAllowedToDelegateToAccount $serverB

# Check the value of the attribute directly
$x = Get-ADComputer -Identity $serverC -Properties msDS-AllowedToActOnBehalfOfOtherIdentity

# Check the value of the attribute indirectly
Get-ADComputer -Identity $serverC -Properties PrincipalsAllowedToDelegateToAccount

# purge kerberose cache
Invoke-Command -ComputerName $serverB.Name -Credential $cred -ScriptBlock {
    klist purge -li 0x3e7

After doing it, these 2 tests pass:

Invoke-Command -ComputerName serverB -ScriptBlock {

    Invoke-Command -ComputerName serverC -ScriptBlock {'hello world'} -Credential $using:cred
} -Credential $cred 

Invoke-Command -ComputerName serverB -ScriptBlock {

    Copy-Item '\\serverC\c$\file'

} -Credential $cred 

However the sql command still fails, and we have not been able to find a solution to it.

We found this same issue on github which seems identical, but no answer:


  • Be sure to register an SPN for the SQL service account using SetSPN –A MSSQLSvc/.:1433