This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 38%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECW%3C/text%3E%3C/svg%3E)
Hi, hoping someone can help. We're in the process of migrating to a new SQL instance and bulk load / insert from SMB share isn't working in SMSS or via SQL agent job
I'm reasonably confident its Kerberos delegation as I see ANONYMOUS in the file server audit log with constrained delegation and when I enable temporarily enable unconstrained delegation it works fine showing my own domain account in the audit log of the file server
We're using a managed service account
PS C:\>setspn -L msa$
Registered ServicePrincipalNames for CN=MSA,CN=Managed Service Accounts,DC=Domain,DC=com:
MSSQLSvc/sql02.domain.com:1433
MSSQLSvc/sql02.domain.com
Have allowed for constrained delegation
Set-ADAccountControl -Identity msa$ -TrustedForDelegation $false -TrustedToAuthForDelegation $false
Set-ADAccountControl -Identity sql02$ -TrustedForDelegation $false -TrustedToAuthForDelegation $false
Have set SPN's for CIFS on file servers
PS C:\> setspn -L server04
Registered ServicePrincipalNames for CN=server04,OU=Servers,DC=domain,DC=com:
cifs/server04.domain.com
cifs/server04
Confirmed delegation is set
PS C:\Get-ADServiceAccount -Identity msa -Properties * | select msds-allowedtodelegateto,hostcomputers
msds-allowedtodelegateto hostcomputers
------------------------ -------------
{cifs/server04.domain.com, cifs/server04}
{CN=SQL02,OU=Servers,DC=domain,DC=com}
I ran sqlcheck from Microsoft and this looks fine, only warning trusted for delegation is false but I believe that is the expected result with constrained delegation. Would like to have shared that but kept getting "file upload failed, please try again"
What am I missing?
Thanks
Use the MS SQL Server Kerberos Configuration Manager to validate and may fix the issue.
Free download at
https://www.microsoft.com/en-us/download/details.aspx?id=39046
I forgot to include, I've tried that but I can't get it working. Get this error not matter what I tried - remotely, elevated, locally. Log is completely empty in all cases. I read somewhere that it wasn't recommended for use anymore (use sqlcheck from github instead) so gave up on it rather than trying to figure out why it doesn't work
Hi @Chris W
as I see ANONYMOUS in the file server audit log with constrained delegation
Seems like your SQL Server instance and the SQL Server Agent service is unable to impersonate the user to access the SMB share.
Please make sure the constrained delegation is configured correctly. Review this tech doc: How to configure Kerberos Constrained Delegation for Web Enrollment proxy pages.
Best regards,
Cosmog
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
I've managed to resolve this by swapping from "Use Kerberos only" to "Use any authentication protocol". I don't really understand why it didn't work though, query to SQL says its using Kerberos, eventlog on file server shows Kerberos too - something for another day
Edited as accidental duplicate