Are there any good options for connecting two SQL Server 2008 instances via Service Broker if neither of those servers are in a domain, but we have full control over the logins and credentials?
We're thinking of using this technology for enterprise-level data consolidation, but our servers run at client sites and are not configured as members of any domain. We're looking for the least-pain option to get Service Broker communicating in this environment.
You can use certificate-based transport security, which is domain-independent. Official help here and some example here.
You use certificates, which is the Service Broker authentication option designed specifically for a scenario like your. See How does Certificate based Authentication work. When endpoints are configured with certificates based authentication the handhsake will contain an SSPI Schannel based authentication exchange (better known as SSL or TLS). The resulting certificate used by the peer is used to authorize the connection based on trust derived from certificate deployment. What that means is that the certificates used are not validated for a specific property like in the 'https://example.com' case where 'example.com' has to e a specific OID on the certificate and a trusted authorithy signature, but instead if the certificate is deployed (ie. found in the master database) then the owner of the deployed certificate is the identity. This allows you to use self-signed certificates in a safe manner with root of trust in deployment (ie. the sysadmin), not an authorithy (ie. Verisign). This is a probably more info than you need :)
The gist of it goes like this:
-------------------------------------
-- connect to server
-------------------------------------
use master;
go
create master key encryption by password = '...';
create certificate [<servername>]
with subject = '<servername>'
, start_date = '20100216'
, expiry_date = '20150216';
create endpoint broker
state = started
as tcp (listenner_port = 4022)
for service_broker (authentication = certificate [<servername>]);
-- Export the public key to disk
backup certificate [<servername>]
to file = '\\someshare\<servername>.cer';
--------------------------------
-- connect to client
--------------------------------
use master;
go
create master key encryption by password = '...';
create certificate [<clientname>]
with subject = '<clientname>'
, start_date = '20100216'
, expiry_date = '20150216';
create endpoint broker
state = started
as tcp (listenner_port = 4022)
for service_broker (authentication = certificate [<clientname>]);
-- Export the public key to disk
backup certificate [<clientname>]
to file = '\\someshare\<clientname>.cer';
--create an identity for server and import the server's certificate:
create login [<servername>] with password = '...';
alter login [<servername>] disable;
create user [<servername>];
create certificate [<servername>]
authorization [<servername>]
from file = '\\someshare\<servername>.cer';
--authorize <servername> to connect on the broker endpoint
grant connect on endpoint::broker to [<servername>];
---------------------------------------
-- connect to the server
---------------------------------------
--create an identity for client and import the client's certificate:
create login [<clientname>] with password = '...';
alter login [<clientname>] disable;
create user [<clientname>];
create certificate [<clientname>]
authorization [<clientname>]
from file = '\\someshare\<clientname>.cer';
--authorize <clientname> to connect on the broker endpoint
grant connect on endpoint::broker to [<clientname>];