RE: Integrated Authentication (Kerberos) Problem
From: Steve Dodson [MSFT] (stevedod_at_online.microsoft.com)
Date: 07/16/04
- Previous message: Julie: "Set security for web folder?"
- In reply to: Mark Parter: "Integrated Authentication (Kerberos) Problem"
- Next in thread: Ken Schaefer: "Re: Integrated Authentication (Kerberos) Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 16 Jul 2004 15:15:20 GMT
Mark,
Verify the SPN for the SQL service account is registered such as the
following:
setspn -A MSSQLSvc/server23.northamerica.microsoft.com:1433 sqlaccount
I have also seen it where you need to register another SPN (NetBIOS name)
such as:
setspn -A MSSQLSvc/server1:1433 sqlaccount
Hope that helps!
Steve Dodson [MSFT]
MCSE, CISSP
PSS Security
-- This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- >Thread-Topic: Integrated Authentication (Kerberos) Problem >thread-index: AcRrPpYjVry3YR/4RguAm4RyKKICRw== >X-WBNR-Posting-Host: 212.219.188.130 >From: "=?Utf-8?B?TWFyayBQYXJ0ZXI=?=" <MarkParter@discussions.microsoft.com> >Subject: Integrated Authentication (Kerberos) Problem >Date: Fri, 16 Jul 2004 07:10:02 -0700 >Lines: 30 >Message-ID: <2DCED5E2-3BEE-4B3F-BEB5-0C9C57BB6FB8@microsoft.com> >MIME-Version: 1.0 >Content-Type: text/plain; > charset="Utf-8" >Content-Transfer-Encoding: 7bit >X-Newsreader: Microsoft CDO for Windows 2000 >Content-Class: urn:content-classes:message >Importance: normal >Priority: normal >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 >Newsgroups: microsoft.public.inetserver.iis.security >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 127.0.0.1 >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl >Xref: cpmsftngxa06.phx.gbl microsoft.public.inetserver.iis.security:13438 >X-Tomcat-NG: microsoft.public.inetserver.iis.security > >Hello All, > >I have the following 3 machines involved in this process; > >1. A Windows XP SP1 with IE6 client machine >2. A Windows 2003 server with IIS 6 >3. A Windows 200 Server with SQL Server 2000 > >I'm trying to get a report I've created in Reporting Services (which is server from machine 2) to access data from a SQL database on machine 3. > >I cannot get Kerberos to work, IE6 on machine 1 seems to indicate that NTLM is being used instead. I am testing with an ASP script from a Microsoft article. The script always returns the Authentication Type as NTLM. Here's what I've done so far; > >1. Configured IIS 6 ot use ONLY Integrated Windows Authentication >2. Given machine 2 delegation privileges in AD >3. Given the domain account under which the IIS application runs, delegation privileges in AD. >4. Set SPN's for this domain account (not sure if I've done this OK so a pointer on this may be helpful) >5. Verified that IE has the "Enable Integrated Windows Authentication" option checked. >6. Changed the NTAuthenticationProviders attribute in the metabase.xml file from NTAuthenticationProviders="NTLM" to NTAuthenticationProviders="Negotiate,NTLM" >7. Gone throught the MS article at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/ security/tkerbdel.mspx but still no further forward. >8. Confirmed that authentications only fails from machine 1. If accessing the same site on machine 2, everything works fine. > >Here's an extract form the IIS log; > >2004-07-16 13:58:33 10.20.16.27 GET /tests/kerberos.asp |17|80004005|Login_failed_for_user_'(null)'._Reason:_Not_associated_with_a_t rusted_SQL_Server_connection. 80 STAFF\M-Parter 10.20.20.55 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 500 0 0 >2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp - 80 - 10.20.20.55 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2 2148074254 >2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp - 80 - 10.20.20.55 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 1 0 >2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp |17|80004005|Login_failed_for_user_'(null)'._Reason:_Not_associated_with_a_t rusted_SQL_Server_connection. 80 STAFF\M-Parter 10.20.20.55 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 500 0 0 > > >When I performed step 6, I then get prompted for a username and password in IE on machine 1. No matter what I enter for a username and password, I don't get access. If I then undo the changes in Step 6, I can gain access to the site again. >
- Previous message: Julie: "Set security for web folder?"
- In reply to: Mark Parter: "Integrated Authentication (Kerberos) Problem"
- Next in thread: Ken Schaefer: "Re: Integrated Authentication (Kerberos) Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
