Active Directory Delegation: NetBios name works, IP doesnt. why?


Ok, I set up active directory delegation on my intranet site, and enabled windows authentication.
Users go to the ASP page, and their identity/credentials are passed through to the SQL server.

(logging into the sql server with the users credentials is the critical part here, we have assigned sql level permissions on certain tables)

When users go to the machines website http://cWebNexus2/integratedlogon.asp, everything works like a dream.
(cWebNexus2 is the name of the machine on our active directory network)

But when I go to the outside site name: http://nexus.dealix.com/integratedlogon.asp or the IP xxx.xx.xx.xx for that site,
(from home, OR from my workstation, on the company active directory network)
Asp pages come up, so IIS is authenticating me... but it doesn’t pass through to SQL, the users credentials are not delegated to the sql server, and I get the good ol'
"Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."

It feels like double-hop (which I got past) all over again.

I need:
1) My remote users to be able to log in from home with the network popup login,
2) My local users to be authenticated without any logins from within the company network.
3) Everyone (local and remote) to log into sql with their active directory account.

Ideas?
dealixAsked:
Who is Participating?
 
Dave_DietzCommented:
This is double-hop all over again.

For Kerberos Delegation to work properly you have to have the correct SPNs (Server Principal Names) in place.  IP addresses will *not* work for this since the IP address isn't part of the computer account in AD and nexus.dealix.com is not in AD either.

You will need to add a new SPN for the external domain name for this to work.

The following command line (run on the web server) should work for this (assuming you have the setspn utility on the machine and you are a domain admin):

setspn -a HOST/nexus.dealix.com

This will enter the nexus.dealix.com name into active directory so a ticket can be issued for it to use with Kerberos.

However, this will not work for users outside the domain.  One of the requirements for Auth Delegation is that the client machine and the webserver are members of the same domain (or at least forest).

In order to reach the end goal you are looking for I would suggest the following:

a) Create two websites that point to the same content (so you have two identical websites that we can configure differently.

b) Set one site to listen on an internal IP address - set the other to listen on an outside address (or an address you are forwarding packets to from the outside).

c) Set the internal site to use Integrated Auth and either leave it as cWebNexus2 and access it internally that way or set up the extra SPN and DNS entry so you can hit it via nexus.dealix.com

d) Set up SSL on the external site and configure it to use Basic auth.  This will allow IIS to send the users credentials to the SQL server and protect the users credentials on the wire

In this way:
1) Remote users will be able to log in from home with the network popup login,
2) Local users will be authenticated without any logins from within the company network.
3) Everyone (local and remote) will log into sql with their active directory account.

Dave Dietz
0
 
dealixAuthor Commented:

Interesting,  that sspn thing sounds like a great idea, but.. will it work if I have multiple webservers?
See, nexus.dealix.com is an address that is going to be load balanced between the machines, CWebNexus1 and CWebNexus2, will I be able to use "setspn -a HOST/nexus.dealix.com" to register the domain for both servers?
 
0
 
dealixAuthor Commented:
I posted my "2 webservers on 1 domain" as a new question at:
http://www.experts-exchange.com/Web/Web_Languages/ASP/Q_21113017.html
0
 
dealixAuthor Commented:
I posed my "why doesnt the nexus.dealix.com work outside the domain" quesiton at:
http://experts-exchange.com/Web/Web_Languages/ASP/Q_21114358.html

Thanks,
Dan
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.