Delegation: IIS Server setup in typical 3-tier scenario.

Hi,

Sorry to be asking the same question that everybody probably asks...
Setting up delegation is
killing me... Typical IE6/IIS6/SQLServer2000 3-tier Integrated Windows
Authentication problem - I've got the double hop problem when using
Impersonation, so I'm trying to set up delegation. Getting
Authenticated using NTLM not Kerberos on the Web Server. IE6 is sending
the Negotiate header.

SQL Server 2000 SP3 on Server 2003. SQL Account and Computer both
Trusted for Delegation. Given SPN.

IIS 6.0 on Server 2003. Kerberos enabled. Computer Trusted for
Delegation.
Integrated Windows Authentication selected. Default application pool.
Application on default website.
IWAN_<computername> local account is running as part of operating
system and trusted for delegation. (Does anything need to be SPN'd?)

ASP App using trusted ADO connections (impersonation by default as
classic ASP) . ASP.NET as well using ADO.NET trusted connection.

User (me) Trusted for Delegation on a client XPSP2 machine. IE6
Kerberos enabled. Trusted Site. No Proxy.

I've been through a lot of the Microsoft documentation.
Incidently the most useful was:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx#ETUAG

Some specific questions: -

I have seen a lot written about using FQDNs for Kerberos.
Does this mean that in my ADO and ADO.NET connection strings I need to
specify a fuller ServerName?

Can I use IP addresses and ports with kerberos?
i.e. I think I can use these:
http://computername.domainname
http://hostname
but can I use these?
http://IPAddress
http://computername.domainname:81
http://computername

So I am a little unclear on what SPNs I need to register for IIS, ASP,
ASP.NET etc. Currently only the 2 server SPNs (FQDN and NetBIOS) are
registered. And also what accounts I need to change security settings
on?

Oh and while we're talking about this, I suppose you can use delegation

with SQL Virtual Directories? Otherwise this is all pointless.

Cheers,

James

.

Relevant Pages

  • Re: Permission Denied when writing text file from ASP Site
    ... well as configure delegation in order to do this. ... Kerberos to authenticate with the client, but the servers must have Kerberos ... Authentication to login to the web server, it does NOT mean the web server ...
    (microsoft.public.inetserver.iis.security)
  • Re: Access denied. delegation scenario accessing to a shared resource in cluster
    ... Depending on how your web server is configured ... for delegation, ... application via Kerberos too. ... web server and the cluster server and find out what kind of authentication ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Issue: Virtual Directory to UNC
    ... Authentication with HTTPS/SSL. ... I now understand the reason behind the delegation ... The purpose of this server is to access I just want to access one machine ... > Just because a remote user authenticated to the web server, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Application pool with domain account & anonymous access disabled
    ... Web server must use the remote user's identity to access network ... authentication protocol so that IIS forces authentication (though the choice ... The issue is called "delegation", ...
    (microsoft.public.inetserver.iis)
  • Re: Windows integrated authentication with site content on UNC share...
    ... You are indeed running into a delegation issue. ... are the client browsers able to support Kerberos authentication ... The following KB article has steps for IIS -> SQL Server, ... I am able to successfully browse the web site. ...
    (microsoft.public.inetserver.iis.security)