Re: Can't run IIS and SQL Server on Separate Machines with Trusted Connection
From: Bala Neerumalla[MSFT] (balnee@online.microsoft.com)
Date: 03/15/03
- Previous message: BP Margolin: "Re: SQL Server Price"
- In reply to: Tom Kaminski [MVP]: "Re: Can't run IIS and SQL Server on Separate Machines with Trusted Connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Bala Neerumalla[MSFT]" <balnee@online.microsoft.com> Date: Fri, 14 Mar 2003 21:22:26 -0800
Hi Julie,
Based on your error message, its clear that you are falling back to
NTLM. For Delegation to work, you need to make sure that you have configured
the following properly.
1. IIS Server must be trusted for delegation(Open AD Users and Computers mmc
snap-in on a Domain Controller and select IIS Server machine from computers
folder and double click it to set this). By default machines are not trusted
for delegation, so you need to grant this right to IIS Server.
2. AD properties for user "Account is sensitive and cannot be delegated"
must be cleared in AD. By default, this one cleared so you dont have to do
anything.
3. Client must be using IE 5.5 or more (Lower versions dont support Kerberos
so delegation fails).
4. You need to register an SPN for SQL Server, for Kerberos to work each
service must have an SPN registered by the domain admin. But the good thing
is, if your SQL Server is running under LOCALSYSTEM account then you dont
need to worry about this. Check SQL Books online for setting up an SPN if
your SQL Server is running under a domain user. If its running under a local
user account then Kerberos will never work, so you need to configure your
SQL Server to run under either LOCALSYSTEM or a domain user account for
Kerberos to work.
5. On IIS server, make sure you have MDAC 2.6 or above. Lower versions of
MDAC dont support Kerberos. If you are using Windows 2000 server on IIS
Server, then you must be having MDAC 2.5 which might also be a reason for
the failure.
Please let me know if you still have any problems.
Thanks,
Bala.
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:b4q4dn$fft27@kcweb01.netnews.att.com...
> "Jacek Stelmaszczyk" <steq@polbox.com> wrote in message
> news:b4prpn$1h0g$1@news2.ipartners.pl...
> > "Tom Kaminski [MVP]" <tomk (A T) mvps (D O T) org> wrote:
> > >
> > > I don't believe you can use Windows Integrated authentication and have
> SQL
> > > on a separate machine. It creates a delegation issue as the IIS box
> > doesn't
> > > have the user's password to forward to the SQL box.
> > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;247931
> >
> > What about this article?
> > INF: SQL Server 2000 Kerberos Support Including SQL Server Virtual
Servers
> > on Server Clusters
> > http://support.microsoft.com/?kbid=319723
>
> I had not seen that. Looks like it's possible given the right
> configuration.
>
> --
> Tom Kaminski IIS MVP
> http://mvp.support.microsoft.com/
> http://www.microsoft.com/windowsserver2003/community/centers/iis/
>
>
>
- Previous message: BP Margolin: "Re: SQL Server Price"
- In reply to: Tom Kaminski [MVP]: "Re: Can't run IIS and SQL Server on Separate Machines with Trusted Connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
