This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 31%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETM%3C/text%3E%3C/svg%3E)
All of our existing Windows 10 computers work fine, but the newer Windows 11 computers throw the anonymous error on the linked server. Kerberos is configured correctly along with SPN's. We can't seem to figure out why Windows 11 can't do a double hop using Kerberos.
So when you connect from your Windows 11 boxes, what do you see in sys.dm_exec_connections.auth_scheme?
KERBEROS
KERBEROS. One more thing to add. I can use a Windows 10 computer to query data through the linked server, which allows the Windows 11 computer SQL queries to work for about 10 minutes, then they break again. Some kind of timeout with the Kerberos token.
Actually, I think that is more an effect of some connection pooling going on.
In any case, I don't have any access to any environment where I can test this, but I wanted to check out auth_scheme, so that the problem is not in that end. Hopefully, someone who works in a domain environment and knows Kerberos well can chime in.
We solved this by disabling Windows Defender Credential Guard
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 89%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
I'm glad your problem was solved. Thank you very much for the questions and answers.
Best regards,
Aniya
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 23%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENB%3C/text%3E%3C/svg%3E)
Defenders quite bad, yes.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 67%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGA%3C/text%3E%3C/svg%3E)
@Thomas McKane disabling WD credential guard on the W11 client or servers themselves?
Go to group policy and select LDAP for signing none in security settings then try go around RPC to authenticate everything and finally kerberos armoring check in group policy with KDC. Try disabling group policy computer configuration and user configuration and restart computer to try again. Check component connection.
Check networking is not colliding and denying
Welcome to Microsoft Q&A!
Please refer to the links below:
https://www.sqlshack.com/how-to-link-two-sql-server-instances-with-kerberos/
Hope these would bring your attention to some points you hadn't noticed before.
To be honest, since we can’t check the status of your server in the forum, this type of issue is usually difficult to resolve. I suggest you consider using the phone support service provided by Microsoft which can usually help you resolve your issue.
https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers
https://support.microsoft.com/en-us/supportforbusiness/productselection
Best regards,
Aniya