SSPI sql access fails in remote powershell request due to double-hop failure, constrained delegation

Question

We are trying to run an automated install from serverA on remote serverB which needs to talk to sql serverC using windows authentication.

Invoke-Command -ComputerName serverB -ScriptBlock {

    $conn = new-object System.Data.SqlClient.SqlConnection 'Data Source=ServerC;Initial Catalog=master;Integrated Security=SSPI'
    try
    {
        $conn.open()
    } finally {
        $conn | Remove-SQLConnection
    }

} -Credential $cred 

However it fails returning:

Exception calling "Open" with "0" argument(s): "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."

We worked around this issue using:

Invoke-Command -ComputerName serverB -ScriptBlock { Register-PSSessionConfiguration -Name Ipswitch -RunAsCredential $using:cred -Force  } -Credential $cred

But we would prefer to use constrained kerberos delegation:

https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-6#resource-based-kerberos-constrained-delegation

We tried using the steps to perform kerberos delegation below:

##########################
#run on serverC
##########################
Add-WindowsFeature RSAT-AD-PowerShell

Import-Module ActiveDirectory


$serverB = Get-ADComputer serverB
$serverC = Get-ADComputer serverC

# Grant resource-based Kerberos constrained delegation
Set-ADComputer -Identity $serverC -PrincipalsAllowedToDelegateToAccount $serverB

# Check the value of the attribute directly
$x = Get-ADComputer -Identity $serverC -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
$x.'msDS-AllowedToActOnBehalfOfOtherIdentity'.Access

# Check the value of the attribute indirectly
Get-ADComputer -Identity $serverC -Properties PrincipalsAllowedToDelegateToAccount

# purge kerberose cache
Invoke-Command -ComputerName $serverB.Name -Credential $cred -ScriptBlock {
    klist purge -li 0x3e7
}

After doing it, these 2 tests pass:

Invoke-Command -ComputerName serverB -ScriptBlock {

    Invoke-Command -ComputerName serverC -ScriptBlock {'hello world'} -Credential $using:cred
} -Credential $cred 


Invoke-Command -ComputerName serverB -ScriptBlock {

    Copy-Item '\\serverC\c$\file'

} -Credential $cred 

However the sql command still fails, and we have not been able to find a solution to it.

We found this same issue on github which seems identical, but no answer: https://github.com/PowerShell/PowerShell/issues/9331

Answer 1

Be sure to register an SPN for the SQL service account using SetSPN –A MSSQLSvc/.:1433