Re: Kerberos Delegation win2k3 AD/IIS/SQLSERVER seperate machines

From: Sander Romeyn (romeyn_at_rvc.nl)
Date: 02/24/05 

Date: Thu, 24 Feb 2005 09:23:30 +0100

Well so far i got the Kerberos to the IIS server working.

The test page gives me Negotiate and a domain username when i open it from a
remote machine.

The SQLServer won't get the Kerberos ticket though.

On my IIS machine i see the following tickets:

host/iisserver.domain.local

krbtgt/domain.local

So that should be ok i guess.

The SQL Server is upgraded with SP3 and on tcp/ip connection only.

I set the spn MSSQLSvc/sqlserver.domain.local:1433, though i presume that's
not neccesary, it runs on a local admin account and is the only one in the
domain.

I gave domain users full control on all tables for testing ...

Someone some suggestion how to correctly debug the connection between the
IIS end the SQL server?

"Kevin McDonnell [MSFT]" <kevmc@online.microsoft.com> schreef in bericht
news:EcrzgqQGFHA.1136@TK2MSFTNGXA02.phx.gbl...
>
> Follow the tshooting steps in this article.
> 319723 INF: SQL Server 2000 Kerberos support including SQL Server virtual
> http://support.microsoft.com/?id=319723
>
> The three tools you need to resolve/tshoot this are:
> 1. Kerbtray
> 2. Network Monitor
> 3. Netdiag
>
> You'll want to enable Kerberos logging on IIS as well.
>
> You need to first make sure a web client can authenticate to IIS via
> Kerberos. If this isn't working, (this is the first hop), then everything
> else
> will fail.
>
> Hope this helps.
>
> Kevin McDonnell
> Microsoft Corporation
>
> This posting is provided AS IS with no warranties, and confers no rights.
>
>
>

Relevant Pages

  • Re: IIS6/Kerberos/Application Pools/Integrated Security...
    ... Since you don't know which server the request will end up with, you need to use a domain user account to run the web app pool, not a machine specific account ... IIS and Kerberos Part 1 - What is Kerberos and how does it work? ...
    (microsoft.public.inetserver.iis.security)
  • RE: kerberos the story so far
    ... where my IIS front end server could not obtain a kerberos ticket ... It looks like you registered the SPN for the SQL service user account. ... create a new local group on the SQL server. ... If you force a kerberos windows login the IIS seems to use kerberos ...
    (microsoft.public.win2000.active_directory)
  • Re: Delegation / IIS6 / share located on another computer
    ... Can you look in the Security Event log of the webserver, and verify that the client is actually authenticating using Kerberos? ... SERVER B is in the Local Intranet zone and I have "Automatic logon only in Intranet Zone" enabled. ... IIS and Kerberos Part 2 - What are Service Principal Names? ... I have read a lot of articles on how to configure delegation correctly to enable me to use IWA to gain access to an IIS site which is based on a shared folder located on another computer in the domain but it doesn't let me in and was wondering if someone knew why. ...
    (microsoft.public.inetserver.iis.security)
  • Re: kerberos for iis ?
    ... Troubleshoot Kerberos-Related Issues in IIS ... > Is there a simple howto on getting a Win2K client, ... get a file from IIS server ... > login from the above AD domain, and also made sure that Kerberos was ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS passing server credentials rather than user credentials
    ... you need to verify that the IIS server is permitted to delegate in Active ... you need to verify that your Kerberos SPNs are ...
    (microsoft.public.inetserver.iis.security)