Re: Delegation problems
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 13 Jun 2006 17:04:34 -0400
Woo hoo! Glad that was it. Normally I see a different error with a
duplicate SPN so I didn't think that was it, but it seemed like one of the
only things left that might be wrong since the network trace revealed an
actual attempt to do Kerb.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Mike Rasmussen" <michael.rasmussen@xxxxxxxxxxx> wrote in message
news:1150222473.455476.43620@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
That was it. I did a search for the SPN and it came back with two
entries. When the SQL server was initially setup (by a FORMER
administrator) he used his account as the service account for SQL
server. When we changed the SQL server to use a real service account
instead of his user account the SPN was not removed so there were
duplicate SPN entries.
Thanks for your assistance. I should have caught this sooner but I am
challenged when it comes to LDAP queries.
Joe Kaplan (MVP - ADSI) wrote:
Can you do an LDAP query against your forest GC with a filter like this:
(servicePrincipalName=MSSQLSvc/GTOMA-DBSQL01.NBORDER.NBP:1433)
That should hopefully return one and only one result and it should
correspond to the service account you've created.
The other question: is GTOMA-DBSQL01.NBORDER.NBP a CName or A record in
DNS?
Kerberos sometimes likes to resolve CNames back into A records, when
forming
SPNs, causing confusing results.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Mike Rasmussen" <michael.rasmussen@xxxxxxxxxxx> wrote in message
news:1150209868.612725.169370@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I captured a failed attempt and it does appear that the SPN is not
being resolved properly although I cannot figure out why.
What I am seeing in is that when a Kerberos TGS-REG is submitted I am
getting a Kerberos error back. The error is
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.
The service name in the request is the same as is defined for the SPN
in the service account running SQL.
Of course once this Kerberos error is returned the server attempts to
negotiate NTLM authentication which can't be passed to the SQL Sever.
Thanks for any ideas you might have.
Dominick wrote:
i would also recommend installing www.ethereal.com - and check if the
SPNs
used for requesting tickets match excactly what you have registered.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Can you show some examples, perhaps sanitized for public
consumption.
For example, what is the name you use in your SQL connection string?
What is the SPN you have on the service account?
Also, on the web side, are you authenticating with Kerberos there
too?
Providing as much detail as possible would help.
I wish this Kerberos delegation stuff was easier, but it is
definitely
true that when it isn't working it can be insanely frustrating.
When
it is working, it is sometimes a mystery as to why. :)
Joe K.
.
- References:
- Re: Delegation problems
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Delegation problems
- From: Dominick Baier [DevelopMentor]
- Re: Delegation problems
- From: Mike Rasmussen
- Re: Delegation problems
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Delegation problems
- From: Mike Rasmussen
- Re: Delegation problems
- Prev by Date: Re: IIS Sql Server ASP NET 2 authentication
- Next by Date: Re: redirect on failed authorization in ASP.NET 2.0
- Previous by thread: Re: Delegation problems
- Next by thread: Re: Delegation problems
- Index(es):
Relevant Pages
|
Loading
