sql-serverdatabase-connectionkerberosintegrated-security

SQL Server 2012 - Distant connection issues with Integrated Security

I have two SQL Servers : one in Dijon, France; one in Arvada, Colorado, US. A data replication has been set up between them.

Everything works fine when users try to connect to SQL Server 2008 R2 Dijon database.

BUT an error occurs when one of my users is trying to connect to SQL Server 2012 US database from a VB.Net application.

The error is :

"A connection was successfully established with the server, but then an error occurred during the login process (provider: TCP Provider, error: 0 - An existing connection was forcibly closed by the remote host.)"

This error shows up only for one user. The others can connect without any issue. I have maybe a clue about this. We already encountered connection issues for him, because he belonged to many AD security groups.

Here is the connection string :

Data Source=server\instance;Initial Catalog=db;Integrated Security=SSPI;Connection Timeout=0;

We have the same issue for a US user trying to connect to the same server. But not when he tries to connect to Dijon. Do you have any clue that could help me resolving this issue please ?

I checked StackOverflow threads and other solutions from the web, but nothing helped me...

Solution

  • It was, as I expected, a problem of Kerberos authentication because my user has too many AD security groups... The solution is explained here : Problems with Kerberos authentication when a user belongs to many groups and here MaxTokenSize and Windows 8 and Windows Server 2012

    If the authorization data for a user attempting to authenticate is larger than the MaxTokenSize, then the authentication fails for that connection using that protocol.

    On Windows 7 and Windows Server 2008R2 , the MaxTokenSize (the default buffer size for Kerberos) is 12k. Its size has been increased in Windows 8 and Windows Server 2012 to 48k. It wasn't enough for my case.

    I had to add a key in the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize (REG_DWORD type to the decimal value 65535).
    Then I rebooted the server.

    My user can now access data without error.