Re: Credentials Double Hop

From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 20 Oct 2006 13:14:55 +0000 (UTC)

have you double checked you are really doing kerberos authentication to the web server?

you can see that in the security log - search for logon evens - you should have a authentication package type of Kerberos.

also have a look here:

http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

Hi!

I've setup everything to solve this issue but I still get the message
"Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."

I have the tags in webconfig
<authentication mode="Windows" />
<identity impersonate="true" />

I have the SQL connection string

"Persist Security Info=False;Integrated Security=SSPI;database=" &
DBName & ";server=" & ServerName

An my AD administrator has ticked the box "Trust this this computer
for delegation to any service (Kerberos Only)" for the application
server.

I've disabled anonymous logon on the IIS of the application server.

My SQL server is set to mixed mode authentication, and my user name
have access as a System Administrator on SQL.

Why do I still get my error? Why is my application server still not
passing credentials to my database server?

Thanks!

Prev by Date: RE: Question on the use of CryptoStream
Next by Date: How do I determine if a windows identity is authenticated to the network domain
Previous by thread: Re: Problems using SMO to impersonate SQL connection ( ...
Next by thread: How do I determine if a windows identity is authenticated to the network domain
Index(es):
- Date
- Thread

Relevant Pages

Re: Integrated Windows Authentication Timeout?
... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: iis problems with some xp clients - kerberos issue?
... is the browser even attempting Kerberos Authentication? ... the webserver failing to get a service ticket for the SQL Server etc. ... Check that the site is in IE's Intranet zone (IE doesn't attempt to Kerberos ... Both access SQL ...
(microsoft.public.inetserver.iis.security)
Re: REPOST - IIS6 /WebDAV/NTLM/Kerberos and Remote Storage
... >are using to authentication. ... Kerberos tickets target a service ... >authenticate to IIS from the client browser. ... structure on a Win2K server. ...
(microsoft.public.inetserver.iis)
Update: Problems authenticating users via AD with Kerberos on Solaris 9
... However, since MIT does not implement TCP, the request fails. ... We have a Solaris 9 server that we configured to authenticate users via ... Active Directory using Kerberos. ... up but recently for whatever reason, Kerberos authentication does not ...
(SunManagers)
Re: CIFS / Kerberos question
... Packet sniffing from a connected hub (for server, ... > I am trying to achieve PKI authentication and SMB access to Windows ... > - Filesystem relies on SSPI-KerberosV to provide security services. ... What exactly does Kerberos do in the server? ...
(microsoft.public.win2000.security)