Re: Delegation: IIS Server setup in typical 3-tier scenario.

There are a number of issues here, and you need to work your way through
them from beginning to end to determine where the problem actually lies.

Firstly, you can't have "duplicate" SPNs. You mentioned that you "gave" some
hosts some SPNs - you should not do that unless you know that the service
doesn't already have an SPN and/or you need to change the existing SPN. If
you create duplicate SPNs then the KDC doesn't know which computer/user
account's password should be used to encrypt the service ticket (check my
blog - I will post something in more detail soon, but I have a post up right
now explaining the basics of service tickets).

Secondly - work your way through the chain:
a) Are you sure IE is authenticating using Kerberos and not NTLM (e.g. use a
packet capture tool such as Ethereal to verify this, or use the security
event logs). Just because IIS sends a Negotiate header does not mean that
Kerberos is being used - it just means that an API is used to determine what
protocols the browser and server both support.

b) Have you changed the application pool identity that your worker process
is running under? If so, you will need to create/change the SPN for alll
FQDNs that that app pool services. Additionally, if you are accessing the
website by a FQDN that is not servername.domain.com (e.g. it is
someAlias.domain.com) then you will need to create an SPN for that site.
Register it under the computer or user account that is being used to host
the worker process that the website it in

c) Next, check that IIS is authenticating using a user account to SQL
server, and not "anonymous" or "null".

Cheers
Ken


"JimLad" <jamesdbirch@xxxxxxxxxxx> wrote in message
news:1162556628.644584.286900@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

Sorry to be asking the same question that everybody probably asks...
Setting up delegation is
killing me... Typical IE6/IIS6/SQLServer2000 3-tier Integrated Windows
Authentication problem - I've got the double hop problem when using
Impersonation, so I'm trying to set up delegation. Getting
Authenticated using NTLM not Kerberos on the Web Server. IE6 is sending
the Negotiate header.

SQL Server 2000 SP3 on Server 2003. SQL Account and Computer both
Trusted for Delegation. Given SPN.

IIS 6.0 on Server 2003. Kerberos enabled. Computer Trusted for
Delegation.
Integrated Windows Authentication selected. Default application pool.
Application on default website.
IWAN_<computername> local account is running as part of operating
system and trusted for delegation. (Does anything need to be SPN'd?)

ASP App using trusted ADO connections (impersonation by default as
classic ASP) . ASP.NET as well using ADO.NET trusted connection.

User (me) Trusted for Delegation on a client XPSP2 machine. IE6
Kerberos enabled. Trusted Site. No Proxy.

I've been through a lot of the Microsoft documentation.
Incidently the most useful was:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx#ETUAG

Some specific questions: -

I have seen a lot written about using FQDNs for Kerberos.
Does this mean that in my ADO and ADO.NET connection strings I need to
specify a fuller ServerName?

Can I use IP addresses and ports with kerberos?
i.e. I think I can use these:
http://computername.domainname
http://hostname
but can I use these?
http://IPAddress
http://computername.domainname:81
http://computername

So I am a little unclear on what SPNs I need to register for IIS, ASP,
ASP.NET etc. Currently only the 2 server SPNs (FQDN and NetBIOS) are
registered. And also what accounts I need to change security settings
on?

Oh and while we're talking about this, I suppose you can use delegation

with SQL Virtual Directories? Otherwise this is all pointless.

Cheers,

James



.

Relevant Pages

  • Re: Kerberos Authentication to VWMare...
    ... A Kerberos Error Message was received: ... Server Realm: ... We have checked the SPN using SetSPN with -L option and see that both MOSS ...
    (microsoft.public.windows.server.security)
  • Re: Single Sign On using NTLM
    ... You should be able to Kerb auth from your client to your server by specifying an SPN on the service account that runs the service and then specifying that SPN in your target parameter for your NegotiateStream. ... Getting this working can be a bit of a pain and will likely require that you read up on the TechNet docs on implementing constrained delegation and protocol transition. ...
    (microsoft.public.dotnet.security)
  • Re: Kerberos NTLM
    ... I'll assume it was just a typo, and you do have an SPN registered for your IIS computer account as HTTP/server1.domain.com. ... you want to follow some basic Kerberos troubleshooting steps (like making sure the time is correct on both client and server). ... Joseph T. Corey MCSE, Security+ ...
    (microsoft.public.windows.server.active_directory)
  • Re: UNC Virtual Directories; NTFS permission authentication not ac
    ... If you want Kerberos delegation to work, you need to have everything setup correctly end-to-end. ... The browser must authenticate using Kerberos, which means that both IE must attempt Kerberos *and* the relevant server SPNs must be created/set correctly. ... > Windows Authentication option the ...
    (microsoft.public.inetserver.iis.security)
  • Re: Constrained delegation question!
    ... You are right there is a service called HOST on the target server which I ... You should not need to create a new SPN though. ... Active Directory under the delegation tab, ... For allowing Service Control Manager, ...
    (microsoft.public.dotnet.framework.aspnet.security)