Solved

Active Directory Delegation: NetBios name works, IP doesnt. why?

Posted on 2004-08-29
4
547 Views
Last Modified: 2012-05-05

Ok, I set up active directory delegation on my intranet site, and enabled windows authentication.
Users go to the ASP page, and their identity/credentials are passed through to the SQL server.

(logging into the sql server with the users credentials is the critical part here, we have assigned sql level permissions on certain tables)

When users go to the machines website http://cWebNexus2/integratedlogon.asp, everything works like a dream.
(cWebNexus2 is the name of the machine on our active directory network)

But when I go to the outside site name: http://nexus.dealix.com/integratedlogon.asp or the IP xxx.xx.xx.xx for that site,
(from home, OR from my workstation, on the company active directory network)
Asp pages come up, so IIS is authenticating me... but it doesn’t pass through to SQL, the users credentials are not delegated to the sql server, and I get the good ol'
"Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."

It feels like double-hop (which I got past) all over again.

I need:
1) My remote users to be able to log in from home with the network popup login,
2) My local users to be authenticated without any logins from within the company network.
3) Everyone (local and remote) to log into sql with their active directory account.

Ideas?
0
Comment
Question by:dealix
  • 3
4 Comments
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 250 total points
ID: 11928183
This is double-hop all over again.

For Kerberos Delegation to work properly you have to have the correct SPNs (Server Principal Names) in place.  IP addresses will *not* work for this since the IP address isn't part of the computer account in AD and nexus.dealix.com is not in AD either.

You will need to add a new SPN for the external domain name for this to work.

The following command line (run on the web server) should work for this (assuming you have the setspn utility on the machine and you are a domain admin):

setspn -a HOST/nexus.dealix.com

This will enter the nexus.dealix.com name into active directory so a ticket can be issued for it to use with Kerberos.

However, this will not work for users outside the domain.  One of the requirements for Auth Delegation is that the client machine and the webserver are members of the same domain (or at least forest).

In order to reach the end goal you are looking for I would suggest the following:

a) Create two websites that point to the same content (so you have two identical websites that we can configure differently.

b) Set one site to listen on an internal IP address - set the other to listen on an outside address (or an address you are forwarding packets to from the outside).

c) Set the internal site to use Integrated Auth and either leave it as cWebNexus2 and access it internally that way or set up the extra SPN and DNS entry so you can hit it via nexus.dealix.com

d) Set up SSL on the external site and configure it to use Basic auth.  This will allow IIS to send the users credentials to the SQL server and protect the users credentials on the wire

In this way:
1) Remote users will be able to log in from home with the network popup login,
2) Local users will be authenticated without any logins from within the company network.
3) Everyone (local and remote) will log into sql with their active directory account.

Dave Dietz
0
 

Author Comment

by:dealix
ID: 11936694

Interesting,  that sspn thing sounds like a great idea, but.. will it work if I have multiple webservers?
See, nexus.dealix.com is an address that is going to be load balanced between the machines, CWebNexus1 and CWebNexus2, will I be able to use "setspn -a HOST/nexus.dealix.com" to register the domain for both servers?
 
0
 

Author Comment

by:dealix
ID: 11937314
I posted my "2 webservers on 1 domain" as a new question at:
http://www.experts-exchange.com/Web/Web_Languages/ASP/Q_21113017.html
0
 

Author Comment

by:dealix
ID: 11946798
I posed my "why doesnt the nexus.dealix.com work outside the domain" quesiton at:
http://experts-exchange.com/Web/Web_Languages/ASP/Q_21114358.html

Thanks,
Dan
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now