Various Login Errors when attempting to implement Kerberos

[DetRich]

Sponsored Links

Hello,

Environment:
3 BizTalk servers in a group
2 clustered SQL nodes.
Node-A has the BizTalk databases (Node-A\INST1)
Node-B has BAM and SSODB databases (Node-B\Inst2)

We are attempting to implement Kerberos authentication from our BizTalk 2006 R2 servers to clustered SQL Server 2005 servers.

Process:
Edit BizTalk config file to use kerberos.
Create SPN's. We create a total of 8 SPN's.
Restart SQL instances

Problem History:
After completing the 3 steps above, we get various errors in the SQL logs:
- Error 18456, login failed for "domain\user". [SQLSTATE 28000]. User account is for the account running SQL.
- Login to server "Node-A\INST1" failed (ConnAttemptCachableOp)
- Login to server "Node-A\INST1" failed (ConnUpdateJobActivity_NextScheduledRunDate)
- Login to server "Node-A\INST1" failed (JobManager)
- Login failed for user "domain\user". [Client: [url]www.xxx.yyy.zzz] (Here, the user is the account running the BizTalk services)
- Error 18456, Severity 14, State: 16
- Error 18456, Severity 14, State: 11

On yesterday's attempt to try this, the BizTalk host instances all stopped while the SPN's existed. Once the SPN's were deleted, the host instances all started w/o operator intervention.

On the BizTalk servers, the application logs have errors which say the following:

SSO AUDIT
Function: GetConfigInfo ({9284BE78-FAB5-41A6-A121-8F9821882452})
Tracking ID: c3fcbbae-5400-4b06-bd6e-ba1285965fe6
Client Computer: <BizTalk server FQDN> (BTSNTSvc.exe:3956)
Client User: -
Application Name: {9284BE78-FAB5-41A6-A121-8F9821882452}
Error Code: 0xC0002A10, Enterprise Single Sign-On is offline.

We have no idea why we're getting these errors. We know that the accounts and passwords are correct. They have not been changed in ages. We can logon to servers using these accounts.

Can anyone help by providing some insight here? We're really struggling.

Thanks in advance,
DetRich

[Janos™]

What happens when you try to start SQL Server in Single User Mode and then can you also try to logon as (local)\Administrator. If they are Windows logins, try dropping them and readding them. Do the same for the database users. The logins may have been dropped and readded in the AD.

[DetRich]

Have not tried running SQL in Single User Mode.
I plan on dropping and re-adding the account is SQL. From a previous post, I understand there may be a SID mis-match because the account may have been dropped/re-added in the past.