?
Solved

Active Directory Delegation: NetBios name works, IP doesnt. why?

Posted on 2004-08-29
4
Medium Priority
?
557 Views
Last Modified: 2012-05-05

Ok, I set up active directory delegation on my intranet site, and enabled windows authentication.
Users go to the ASP page, and their identity/credentials are passed through to the SQL server.

(logging into the sql server with the users credentials is the critical part here, we have assigned sql level permissions on certain tables)

When users go to the machines website http://cWebNexus2/integratedlogon.asp, everything works like a dream.
(cWebNexus2 is the name of the machine on our active directory network)

But when I go to the outside site name: http://nexus.dealix.com/integratedlogon.asp or the IP xxx.xx.xx.xx for that site,
(from home, OR from my workstation, on the company active directory network)
Asp pages come up, so IIS is authenticating me... but it doesn’t pass through to SQL, the users credentials are not delegated to the sql server, and I get the good ol'
"Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."

It feels like double-hop (which I got past) all over again.

I need:
1) My remote users to be able to log in from home with the network popup login,
2) My local users to be authenticated without any logins from within the company network.
3) Everyone (local and remote) to log into sql with their active directory account.

Ideas?
0
Comment
Question by:dealix
  • 3
4 Comments
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 1000 total points
ID: 11928183
This is double-hop all over again.

For Kerberos Delegation to work properly you have to have the correct SPNs (Server Principal Names) in place.  IP addresses will *not* work for this since the IP address isn't part of the computer account in AD and nexus.dealix.com is not in AD either.

You will need to add a new SPN for the external domain name for this to work.

The following command line (run on the web server) should work for this (assuming you have the setspn utility on the machine and you are a domain admin):

setspn -a HOST/nexus.dealix.com

This will enter the nexus.dealix.com name into active directory so a ticket can be issued for it to use with Kerberos.

However, this will not work for users outside the domain.  One of the requirements for Auth Delegation is that the client machine and the webserver are members of the same domain (or at least forest).

In order to reach the end goal you are looking for I would suggest the following:

a) Create two websites that point to the same content (so you have two identical websites that we can configure differently.

b) Set one site to listen on an internal IP address - set the other to listen on an outside address (or an address you are forwarding packets to from the outside).

c) Set the internal site to use Integrated Auth and either leave it as cWebNexus2 and access it internally that way or set up the extra SPN and DNS entry so you can hit it via nexus.dealix.com

d) Set up SSL on the external site and configure it to use Basic auth.  This will allow IIS to send the users credentials to the SQL server and protect the users credentials on the wire

In this way:
1) Remote users will be able to log in from home with the network popup login,
2) Local users will be authenticated without any logins from within the company network.
3) Everyone (local and remote) will log into sql with their active directory account.

Dave Dietz
0
 

Author Comment

by:dealix
ID: 11936694

Interesting,  that sspn thing sounds like a great idea, but.. will it work if I have multiple webservers?
See, nexus.dealix.com is an address that is going to be load balanced between the machines, CWebNexus1 and CWebNexus2, will I be able to use "setspn -a HOST/nexus.dealix.com" to register the domain for both servers?
 
0
 

Author Comment

by:dealix
ID: 11937314
I posted my "2 webservers on 1 domain" as a new question at:
http://www.experts-exchange.com/Web/Web_Languages/ASP/Q_21113017.html
0
 

Author Comment

by:dealix
ID: 11946798
I posed my "why doesnt the nexus.dealix.com work outside the domain" quesiton at:
http://experts-exchange.com/Web/Web_Languages/ASP/Q_21114358.html

Thanks,
Dan
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question