SQL, Kerberos
一、情境:
本機使用SSMS→連到第二方SQL Server(Always On)→用Linkserver連到第三方SQL Server作業
Error: 18456, Severity: 14, State: 5.
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Could not find a login matching the name provided.
二、解決進度:
1. 到SQL Error log 確定SQL Server Network Interface liberary 有成功註冊兩個SPN for SQL Service 
2. 因為是Always On,SQL服務實際上是建在Listener上,故需要手動註冊Listener 為SPN
To get Kerberos working on availability groups you must also set a SPN on the virtual network name.
The domain administrator needs to manually register a Service Principal Name (SPN) with Active Directory on the SQL Server service account for the virtual network name (VNN) of the availability group listener. If the SPN is registered on an account other than the SQL Server service account, authentication will fail.
3. 然後是AD上電腦名稱(本情境為Always On)的Listener,也就是第二點提到的 virtual network name設定Deligation(委派)
Service Name選兩個,SQL Service所在的Virtual Name
4. 然後設定SQL 委派帳號物件的Deligation,我是選擇第三種只挑SQL Service同第3點
重點整理:
1. 因為是Always On環境,故SQL Error Log中看到的兩筆自動註冊SPN是註冊實體Server Name故沒用,
需要手動在AD上註冊Listener為SPN
2. 在AD為SQL啟動帳號與Listener設定委派,Trust this user for deligation to any service(Kerberos only)
3. 在AD為Listener 建立SPN,選擇信任這台電腦,只委派指定服務,只使用Kerberos
選擇MSSQLsvc與MSSQLsvc :1433兩個Service