Please bear with me, this is my first question.
I'm trying to setup constrained delegation so that my iis server can pass on the user credentials to the SQL server. I've read a couple of articles on this but I must be missing something because it's still not working.
In AD I have setup delegation for my IIS server (Server1
for example purposes) to include the following SPN's from the SQL server (Server2
for example purposes):
Trust this computer for delegation to specified services only
Use Kerberos only
MSSQLSvc Server2 1433
MSSQLSvc Server2 4951
(all discovered by AD from putting in server name)
The IIS service on server1 is running under the local system account but I have created a seperate application pool which runs under an AD service account. The sql service also runs under a AD service account (not the same one though).
I have setup my web app to use the application pool in question and setup web.config to use windows auth:
The site security is using 'Integrated Windows authentication' only.
On the IIS server in 'Local security settings' policy I have put the AD service account for the application pool into 'Enable computer and user accounts to be trusted for delegation' policy.
I've also used setspn to add 'http/server1' to server1.
I read somewhere that you must use tcp not named pipes, so I added tcp: before the server name in the connection string which apparently solves that one.
Not sure if I've missed anything but it's not working at the moment anyway... when I currently access the intranet even on a page that doesn't try to access the sql server it is asking me for a username and password. At one point it didn't and I could see in the security log my username authenticating for the IIS server but at the SQL server was getting errors in the security log NT AUTHORITY\ANONYMOUS LOGON.
Any help is much appreciated, thanks.