Re: Delegation problems

What account is running SQL? Is it local system, network service or a
custom service account?

If it is system or network service, then the network identity for the
service will be represented by the machine account, so it will need the
appropriate SPNs. If it is a custom service account, then it will need the
SPNs.

Once you know that, then it depends on how you are connecting to SQL. If
you are using a DNS name in your connection string, make sure the service
account has an appropriate SQL SPN for that DNS name. That would likely be
something like MSSQLSvc/yourserver.domain.com:1433 if you are using the
default TCP port and your server's DNS name in yourserver.domain.com. If
you are using NetBIOS names in your connection string, then the SPN would
use that.

I'm not actually sure why the proper SPNs wouldn't show up in ADUC, but the
first thing to do is to make sure that the SPNs you need exist in AD and are
set on the right account.

I like using a tool like ldp.exe or adfind for looking at the AD stuff in
this case as you can see what's actually going on under the hood with AD.
ADUC hides to much stuff to be useful for troubleshooting. The relevant
attributes in AD for Kerberos delegation are servicePrincipalName (SPNs for
an account), userAccountControl (sets the bit that allows the account to
delegate with Kerberos or via S4U with any protocol) and
msds-AllowedToDelegateTo (specifies the constrained delegation list where
the service can delegate to).

HTH,

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<michael.rasmussen@xxxxxxxxxxx> wrote in message
news:1149867559.859982.177090@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I am trying to setup delegation from a IIS server to a SQL 2K backend
server running on a different physical server from the IIS server. I am
running into problems because when I try to delegate the MSSQL service
is not on the list of services to select for the SQL server. Has anyone
seen this before. I have several other servers running SQL and the SQL
service lists when I try to delegate to those servers. I just have two
servers which do not list the SQL service.

This is running in a Windows 2003 AD environment. All servers are
running Windows 2003. All SQL 2000 servers are running SP3 or higher.

Any insights would be appreciated.



.

Relevant Pages

  • Re: Server admin/service account - too many users
    ... You never use the "administrator" account ... For programs such as SQL and Veritas or any other program ... Win2003 AD server and 5 Win2000 member servers performing various ... account password, services will not run such as SQL2000, Veritas ...
    (microsoft.public.windows.server.general)
  • Re: Delegation problems
    ... I checked the SPNs and they appear correct on the service account. ... delegate from my web server to the SQL service on the DB server when I ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Kerberos from XP to IIS hosting ASP.NET 2.0 Web Service help
    ... The application pool is is running under the local system account. ... The SQL service is NOT running under local system. ... What SPNs do you have registered for the *SQL Server*? ...
    (microsoft.public.inetserver.iis.security)
  • Re: 2 Urgent Problems need to solve
    ... Is the SQL Server don't permit user to use a SP to get the data from ... You (or your windows account) are probably an administrator on all the ... servers, so your windows credentials get you mapped to "sa" on the ... Assuming you are using integrated security, I have found that logging on ...
    (microsoft.public.sqlserver.programming)
  • Re: Running SQLServer and SQLServer Agent as Power User
    ... > We're trying to limit the number of user accounts with Admin level permission ... > on our Win2K servers, ... Or does this account NEED to be local admin ... although not all sql feature are available. ...
    (microsoft.public.sqlserver.security)