FAQ: Is Windows Authentication supported with a distributed ArcSDE SQL Server configuration?
Is Windows Authentication supported with a distributed ArcSDE SQL Server configuration?
No. A distributed configuration where ArcSDE and SQL Server are installed on different machines is only supported with SQL Server-authenticated logins.
In an Application Server configuration, a client connection is made by the ArcSDE service, or giomgr, creating a dedicated client process, or gsrvr. The gsrvr connects to SQL Server using the login credentials supplied by the connecting user. If the connecting user is using a SQL Server login, the gsrvr simply connects to SQL Server with the login and password provided. In the case of a Windows-Authenticated login, the giomgr must use impersonation to launch the gsrvr with the appropriate Windows login credentials.
The Windows operating system allows the use of impersonated credentials to access local resources, like a local gsrvr process accessing a local SQL Server instance. However, Windows will not allow delegation of impersonated credentials to a remote resource, such as a SQL Server instance on a different server. This is known as a 'double-hop' issue. It is inherent to the default NT Lan Manager (NTLM) authentication scheme used by Windows.
A common solution to this issue is to enable Kerberos delegation for the machine where ArcSDE is installed. However, there are so many variables imposed by the operating system, Active Directory, and varying levels of network security that ESRI cannot reasonably predict whether this configuration will work on any given server.
There are three alternatives to using a distributed ArcSDE configuration with SQL Server and Windows Authentication:
▪ Use a direct connect. These connections go directly from the client application to SQL Server, removing the need for a separate ArcSDE service.
▪ Use SQL Server Authentication. Gsrvrs that connect using SQL Server logins do not require impersonation and can access a remote instance of SQL Server.
▪ Use a non-distributed configuration. If ArcSDE and SQL Server are installed on the same machine, there are no issues with using impersonation for gsrvrs that connect as Windows logins.