Solved

Problems setting up Constrained Delegation

Posted on 2011-03-03
7
1,514 Views
Last Modified: 2012-05-11
Hi Experts,

Please bear with me, this is my first question.

I'm trying to setup constrained delegation so that my iis server can pass on the user credentials to the SQL server. I've read a couple of articles on this but I must be missing something because it's still not working.

In AD I have setup delegation for my IIS server (Server1 for example purposes) to include the following SPN's from the SQL server (Server2 for example purposes):

Server1 properties
Trust this computer for delegation to specified services only
  Use Kerberos only
     MSSQLSvc    Server2    1433
     MSSQLSvc    Server2    4951
     MSSQLSvc    Server2

(all discovered by AD from putting in server name)

The IIS service on server1 is running under the local system account but I have created a seperate application pool which runs under an AD service account. The sql service also runs under a AD service account (not the same one though).

I have setup my web app to use the application pool in question and setup web.config to use windows auth:

<authentication mode="Windows"/>
<identity impersonate="true"/>

Open in new window


The site security is using 'Integrated Windows authentication' only.

On the IIS server in 'Local security settings' policy I have put the AD service account for the application pool into 'Enable computer and user accounts to be trusted for delegation' policy.

I've also used setspn to add 'http/server1' to server1.

I read somewhere that you must use tcp not named pipes, so I added tcp: before the server name in the connection string which apparently solves that one.

Not sure if I've missed anything but it's not working at the moment anyway... when I currently access the intranet even on a page that doesn't try to access the sql server it is asking me for a username and password. At one point it didn't and I could see in the security log my username authenticating for the IIS server but at the SQL server was getting errors in the security log NT AUTHORITY\ANONYMOUS LOGON.

Any help is much appreciated, thanks.
Gav
0
Comment
Question by:gavsmith
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 11

Accepted Solution

by:
Tasmant earned 500 total points
ID: 35026618
0
 
LVL 10

Author Comment

by:gavsmith
ID: 35026731
Thanks Tasmant, I'll go through that and let you know how I get on
0
 
LVL 10

Author Closing Comment

by:gavsmith
ID: 35035848
This blog is far better than anything I found on the net regarding constrained delegation. The tool dhcheck.vbs mentioned at the end is a great little tool. Thank you.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 11

Expert Comment

by:Tasmant
ID: 35036110
There's many blog about constrained delegation, it's true!
But did you found the solution to your issue? :)
0
 
LVL 10

Author Comment

by:gavsmith
ID: 35036151
I did, I had duplicate SPN's which dhcheck.vbs let me know about, after I had removed them it started working. Thanks again
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35036200
I've retrieved the one i looked for yesterday: http://www.adopenstatic.com/faq/
Take a look at all IIS and Kerberos series if you're interested in :)
0
 
LVL 10

Author Comment

by:gavsmith
ID: 35036304
Oh... I'm kicking myself now. I found that before I posted on here, but only part 4 (as I was searching for delegation). Part 2, about SPN's mentioned about duplicates being fatal! Typical. Nevermind I've learnt the errors of my ways now.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In-place Upgrading Dirsync to Azure AD Connect
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question