SSISDB Catalog and Delegation in Double-Hop Scenarios

Introduction

Managing SQL Server Integration Services (SSIS) in complex, multi-server environments can present challenges, especially when it comes to credential delegation across multiple servers—a situation often referred to as the “double-hop” problem. In this post, we’ll explore how the SSISDB catalog handles delegation, the default behavior, and how to configure delegation to ensure your SSIS packages run smoothly across different servers.

Understanding the Double-Hop Problem with SSISDB

By default, remotely invoking SSIS packages stored in the SSISDB catalog does not support the delegation of credentials across multiple servers. This limitation leads to the double-hop issue, where authentication fails when credentials need to pass through more than one server.

Consider the following scenario:

1. A user logs into Machine A (the client computer) and opens SQL Server Management Studio (SSMS).
2. From SSMS on Machine A, the user connects to a SQL Server instance on Machine B, which hosts the SSISDB catalog containing the desired SSIS package.
3. The SSIS package on Machine B needs to access resources on Machine C, such as another SQL Server instance or a file share.

In this setup, Machine B must delegate the user’s credentials from Machine A to Machine C to execute the SSIS package successfully. However, by default, the SSIS execution process (ISServerExec.exe) on Machine B cannot pass these credentials to Machine C without additional configuration. This inability results in authentication failures when the package tries to access resources on Machine C.

Configuring Unconstrained Delegation

To enable credential delegation in this scenario, you can configure unconstrained delegation for the SQL Server service account on Machine B. Here’s how:

1. Grant Delegation Rights

In Active Directory Users and Computers, locate the service account under which the SQL Server instance is running on Machine B. Open the account’s properties, navigate to the Delegation tab, and select Trust this user for delegation to any service (Kerberos only).

This permission enables Machine B’s SQL Server instance to pass the credentials to Machine C, allowing successful authentication for double-hop scenarios.

2. Ensure Proper SPNs Are Registered

Service Principal Names (SPNs) must be correctly registered for the SQL Server service on Machine B to support Kerberos authentication.

By granting this permission, you’re allowing the SQL Server service on Machine B to delegate user credentials to any service on any server (hence “unconstrained”). This configuration enables the SSIS execution process to authenticate to Machine C using the user’s credentials, resolving the double-hop issue.

Important Security Considerations

• Security Risks: Unconstrained delegation allows the specified service account to impersonate users to any service, which can be a significant security risk.
• Consult Security Policies: Before enabling unconstrained delegation, consult your organization’s security team to ensure compliance with internal policies and risk management practices.

Limitations with SSISDB and Constrained Delegation

For enhanced security, organizations often prefer constrained delegation, which restricts credential delegation to specific services. However, SSISDB currently does not support constrained delegation in scenarios involving the execution of SSIS packages from the SSISDB catalog.

This limitation poses challenges in environments where:

• Windows Defender Credential Guard is enabled. Credential Guard enforces the use of constrained delegation and prevents unconstrained delegation configurations.
• Strict Security Policies prohibit unconstrained delegation due to the associated risks.

In such environments, SSIS packages that need to access resources on remote servers (Machine C) may fail to authenticate because the necessary credential delegation is not permitted.

Key Takeaways

• Double-Hop Challenges: When executing SSIS packages that access resources on multiple servers, the double-hop authentication issue can prevent successful execution.
• Unconstrained Delegation Solution: Configuring unconstrained delegation for the SQL Server service account on Machine B enables credential delegation to Machine C, resolving the double-hop problem.
• Security Implications: Unconstrained delegation carries security risks. It’s crucial to assess these risks and consult with your security team before implementation.
• SSISDB Limitations: SSISDB does not support constrained delegation for executing packages from the SSISDB catalog, limiting options in environments with strict security requirements.

Planning for Secure and Effective SSISDB Implementations

Understanding the limitations and configuration requirements of SSISDB in double-hop scenarios is essential for effective planning:

• Assess Your Environment: Determine if your SSIS packages require access to resources on multiple servers and if the double-hop issue applies.
• Consult Security Teams: Work with your organization’s security professionals to evaluate the risks of unconstrained delegation and explore possible alternatives.
• Explore Alternatives: If unconstrained delegation is not acceptable, consider redesigning your SSIS packages or infrastructure to avoid the need for credential delegation. Options include:
  • Using SQL Server Agent Proxies: Configure SQL Server Agent jobs to run SSIS packages under proxy accounts with the necessary permissions.
  • Implementing Credential Manager: Store credentials securely and have the SSIS package use them for authentication.
  • Package Redesign: Modify packages to minimize cross-server authentication or use alternative authentication methods like SQL Server authentication.

By carefully considering these factors, you can design SSISDB implementations that meet your organization’s operational needs while adhering to security policies.