Re: SPN for SSL over common name
- From: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 18 Sep 2006 15:04:55 +1000
Hi,
Forgot to mention - this document is a good starting point that outlines
common scenarios and what you need to do to get them working:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
Cheers
Ken
"Daniel Tan" <kenghua@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:eCQ%23J%23t2GHA.324@xxxxxxxxxxxxxxxxxxxxxxx
Hi Ken
Much thanks for the input!
This is the confirmation I'm looking for.
Cheers!
"Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:u9qQ7Ps2GHA.1304@xxxxxxxxxxxxxxxxxxxxxxx
Hi,SPNs, and that will break Kerberos
You have created a number of duplicate ,
delegation working. Since you are running the web application pool under
"Network Service", you can't register those SPNs under the SQL Server's
Service account. Those SPNs must be registered under the web server's
machine account.
The *only* SPNs you should have registered under the SQL Server's service
account is the MSSQL SPN. That SPN should be registered under the SQL
Server's service account and *removed* (if required) from the SQL
Server's machine account.
Lastly, since the SQL Server is not being used for delegation anywhere,
it's service account does not need to be trusted for delegation. Instead,
the *web server's* machine account must be trusted for delegation (since
it is the one getting the Kerberos service ticket on behalf of the end
user, in order to connect back to the SQL Server).
Cheers
Ken
"Daniel" <orioncrest@xxxxxxxxxxxx> wrote in message
news:1158289246.653946.280870@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Dear all,
I've created an alias (CName) in DNS for my web server running on IIS
6.0.
Web Server FQDN : myweb.domain.com (not using host header)
Alias for Web Server : kirk.domain.com
A SSL cert has been created from the alias.
Clients will be accessing the backend server, SQL2K, Using Integrated
Windows Authentication.
The webserver app pool is running under NETWORK SERVICE.
The MSSQLServer window service is running under a <SQL Service Account>
I've getting the following error when trying the web server from the
alias. https://kirk.domain.com
"The underlying connection was closed: Could not establish trust
relationship with remote server.
Description: An unhandled exception occurred during the execution of
the current web request. Please review the stack trace for more
information about the error and where it originated in the code.
Exception Details: System.Net.WebException: The underlying connection
was closed: Could not establish trust relationship with remote server."
I've been told it's a SPN issue. The SQL Server is unable to locate the
webserver.
I've tried setting the SPN as such.
setspn -a HTTP/kirk <SQL Service Account>
setspn -a HTTP/kirk.mydomain.com <SQL Service Account>
setspn -a HOST/kirk <SQL Service Account>
setspn -a HOST/kirk.mydomain.com <SQL Service Account>
It doesn't work.
setspn -l <SQL Server Account> shows the following:
HTTP/kirk
HTTP/kirk.mydomain.com
HOST/kirk
HOST/kirk.mydomain.com
MSSQLSvc/sqlserver.mydomain.com:1433
Questions.
The web server has been trusted for delegation to the MSSQLSvc SPN. Do
I need to add "HTTP" service to the list?
Do I need to set the <SQL Service Account> to be trusted for
delegation?
Any input will be greatly appreciated!
Regards,
Daniel
.
- Follow-Ups:
- Re: SPN for SSL over common name
- From: Daniel Tan
- Re: SPN for SSL over common name
- References:
- SPN for SSL over common name
- From: Daniel
- Re: SPN for SSL over common name
- From: Ken Schaefer
- Re: SPN for SSL over common name
- From: Daniel Tan
- SPN for SSL over common name
- Prev by Date: Re: SPN for SSL over common name
- Next by Date: Re: SPN for SSL over common name
- Previous by thread: Re: SPN for SSL over common name
- Next by thread: Re: SPN for SSL over common name
- Index(es):
Relevant Pages
|
