Problems setting up Constrained Delegation
Hi Experts,
Please bear with me, this is my first question.
I'm trying to setup constrained delegation so that my iis server can pass on the user credentials to the SQL server. I've read a couple of articles on this but I must be missing something because it's still not working.
In AD I have setup delegation for my IIS server (Server1 for example purposes) to include the following SPN's from the SQL server (Server2 for example purposes):
Server1 properties
Trust this computer for delegation to specified services only
Use Kerberos only
MSSQLSvc Server2 1433
MSSQLSvc Server2 4951
MSSQLSvc Server2
(all discovered by AD from putting in server name)
The IIS service on server1 is running under the local system account but I have created a seperate application pool which runs under an AD service account. The sql service also runs under a AD service account (not the same one though).
I have setup my web app to use the application pool in question and setup web.config to use windows auth:
The site security is using 'Integrated Windows authentication' only.
On the IIS server in 'Local security settings' policy I have put the AD service account for the application pool into 'Enable computer and user accounts to be trusted for delegation' policy.
I've also used setspn to add 'http/server1' to server1.
I read somewhere that you must use tcp not named pipes, so I added tcp: before the server name in the connection string which apparently solves that one.
Not sure if I've missed anything but it's not working at the moment anyway... when I currently access the intranet even on a page that doesn't try to access the sql server it is asking me for a username and password. At one point it didn't and I could see in the security log my username authenticating for the IIS server but at the SQL server was getting errors in the security log NT AUTHORITY\ANONYMOUS LOGON.
Any help is much appreciated, thanks.
Gav
Please bear with me, this is my first question.
I'm trying to setup constrained delegation so that my iis server can pass on the user credentials to the SQL server. I've read a couple of articles on this but I must be missing something because it's still not working.
In AD I have setup delegation for my IIS server (Server1 for example purposes) to include the following SPN's from the SQL server (Server2 for example purposes):
Server1 properties
Trust this computer for delegation to specified services only
Use Kerberos only
MSSQLSvc Server2 1433
MSSQLSvc Server2 4951
MSSQLSvc Server2
(all discovered by AD from putting in server name)
The IIS service on server1 is running under the local system account but I have created a seperate application pool which runs under an AD service account. The sql service also runs under a AD service account (not the same one though).
I have setup my web app to use the application pool in question and setup web.config to use windows auth:
<authentication mode="Windows"/>
<identity impersonate="true"/>The site security is using 'Integrated Windows authentication' only.
On the IIS server in 'Local security settings' policy I have put the AD service account for the application pool into 'Enable computer and user accounts to be trusted for delegation' policy.
I've also used setspn to add 'http/server1' to server1.
I read somewhere that you must use tcp not named pipes, so I added tcp: before the server name in the connection string which apparently solves that one.
Not sure if I've missed anything but it's not working at the moment anyway... when I currently access the intranet even on a page that doesn't try to access the sql server it is asking me for a username and password. At one point it didn't and I could see in the security log my username authenticating for the IIS server but at the SQL server was getting errors in the security log NT AUTHORITY\ANONYMOUS LOGON.
Any help is much appreciated, thanks.
Gav
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This blog is far better than anything I found on the net regarding constrained delegation. The tool dhcheck.vbs mentioned at the end is a great little tool. Thank you.
There's many blog about constrained delegation, it's true!
But did you found the solution to your issue? :)
But did you found the solution to your issue? :)
ASKER
I did, I had duplicate SPN's which dhcheck.vbs let me know about, after I had removed them it started working. Thanks again
I've retrieved the one i looked for yesterday: http://www.adopenstatic.com/faq/
Take a look at all IIS and Kerberos series if you're interested in :)
Take a look at all IIS and Kerberos series if you're interested in :)
ASKER
Oh... I'm kicking myself now. I found that before I posted on here, but only part 4 (as I was searching for delegation). Part 2, about SPN's mentioned about duplicates being fatal! Typical. Nevermind I've learnt the errors of my ways now.
ASKER