集群实例-Kerberos 双跳困境

我们最近将虚拟化 SQL 数据库迁移到主动/主动集群中的裸机解决方案。除 SQL 报告外，一切运行良好。

好的，这里我们来简要介绍一下与 SQL 和报告相关的设置：

• XXYYSQ01 是我们旧的虚拟 SQL 服务器，现在运行 Reporting Services。
• XXYYSQ1 是一个新的 SQL 服务器，在裸机上运行。它不包含我们尝试访问的数据库。
• XXYYSQ2 是另一个新的裸机 SQL 服务器。它运行我们要访问的数据库。
• SQLCLUSTERDB\DATABASE 是托管我们希望访问的数据库的集群实例的名称。

现在，当有人在桌面上访问报告服务网站并尝试运行报告时，他们会遇到可怕的用户“NT AUTHORITY\ANONYMOUS LOGON”登录失败错误。因此，我针对 Reporting Services 的服务用户添加了所需的 SPN：

H:\>setspn -L DOMAIN\ssrs-user
Registered ServicePrincipalNames for CN=ssrs-user,OU=Systems,DC=domain,DC=local:
        MSSQLSvc/SQLCLUSTERDB.domain.local:DATABASE
        MSSQLSvc/SQLCLUSTERDB:DATABASE
        http/xxyysq01

刷新...仍然不起作用。我的 Google 搜索让我将服务用户添加到作为操作系统的一部分和身份验证后模拟客户端用户权限。仍然没有结果。

我查看错误日志。XXYYSQ01 提供以下内容：

An account was successfully logged on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

New Logon:
    Security ID:        DOMAIN\amason
    Account Name:       amason
    Account Domain:     DOMAIN
    Logon ID:       0x2d70c77c4
    Logon GUID:     {955a0a82-c5cf-ca60-d063-cc4a32a363be}

Process Information:
    Process ID:     0x0
    Process Name:       -

Network Information:
    Workstation Name:   
    Source Network Address: -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:      Kerberos
    Authentication Package: Kerberos
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
    - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

XXYYSQ2 给我：

An account was successfully logged on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

New Logon:
    Security ID:        ANONYMOUS LOGON
    Account Name:       ANONYMOUS LOGON
    Account Domain:     NT AUTHORITY
    Logon ID:       0xe684d0c85
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:     0x0
    Process Name:       -

Network Information:
    Workstation Name:   XXYYSQ01
    Source Network Address: -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:      NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only):   NTLM V1
    Key Length:     128

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
    - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

和：

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: RE.DA.CT.ED]

啊。

我这里漏掉了什么吗？我可以从 XXYYSQ01 本身很好地运行报告，所以我肯定这是一个双跳问题。但是，从我读到的内容来看，我到目前为止所做的应该可以解决这个问题。我检查过，没有重复的 SPN。

我还在 rsreportserver.config 文件中将身份验证更改为 Negotiate/Kerberos。连接字符串是服务器 = SQLCLUSTERDB \ DATABASE；初始目录 = 数据库

任何帮助都将不胜感激。