Re: Delegation problems
- From: "Mike Rasmussen" <michael.rasmussen@xxxxxxxxxxx>
- Date: 13 Jun 2006 11:14:33 -0700
That was it. I did a search for the SPN and it came back with two
entries. When the SQL server was initially setup (by a FORMER
administrator) he used his account as the service account for SQL
server. When we changed the SQL server to use a real service account
instead of his user account the SPN was not removed so there were
duplicate SPN entries.
Thanks for your assistance. I should have caught this sooner but I am
challenged when it comes to LDAP queries.
Joe Kaplan (MVP - ADSI) wrote:
Can you do an LDAP query against your forest GC with a filter like this:
(servicePrincipalName=MSSQLSvc/GTOMA-DBSQL01.NBORDER.NBP:1433)
That should hopefully return one and only one result and it should
correspond to the service account you've created.
The other question: is GTOMA-DBSQL01.NBORDER.NBP a CName or A record in DNS?
Kerberos sometimes likes to resolve CNames back into A records, when forming
SPNs, causing confusing results.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Mike Rasmussen" <michael.rasmussen@xxxxxxxxxxx> wrote in message
news:1150209868.612725.169370@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I captured a failed attempt and it does appear that the SPN is not
being resolved properly although I cannot figure out why.
What I am seeing in is that when a Kerberos TGS-REG is submitted I am
getting a Kerberos error back. The error is
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.
The service name in the request is the same as is defined for the SPN
in the service account running SQL.
Of course once this Kerberos error is returned the server attempts to
negotiate NTLM authentication which can't be passed to the SQL Sever.
Thanks for any ideas you might have.
Dominick wrote:
i would also recommend installing www.ethereal.com - and check if the
SPNs
used for requesting tickets match excactly what you have registered.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Can you show some examples, perhaps sanitized for public consumption.
For example, what is the name you use in your SQL connection string?
What is the SPN you have on the service account?
Also, on the web side, are you authenticating with Kerberos there too?
Providing as much detail as possible would help.
I wish this Kerberos delegation stuff was easier, but it is definitely
true that when it isn't working it can be insanely frustrating. When
it is working, it is sometimes a mystery as to why. :)
Joe K.
.
- Follow-Ups:
- Re: Delegation problems
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Delegation problems
- References:
- Re: Delegation problems
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Delegation problems
- From: Dominick Baier [DevelopMentor]
- Re: Delegation problems
- From: Mike Rasmussen
- Re: Delegation problems
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Delegation problems
- Prev by Date: Re: Delegation problems
- Next by Date: Re: IIS Sql Server ASP NET 2 authentication
- Previous by thread: Re: Delegation problems
- Next by thread: Re: Delegation problems
- Index(es):
Relevant Pages
|
Loading
