Credentials Double Hop

20 Oct 2006 11:53 AM

mgk

Hi!

I've setup everything to solve this issue but I still get the message "Login
failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."

I have the tags in webconfig
    <authentication mode="Windows" />

    <identity impersonate="true" />

I have the SQL connection string

"Persist Security Info=False;Integrated Security=SSPI;database=" & DBName &
";server=" & ServerName

An my AD administrator has ticked the box "Trust this this computer for
delegation to any service (Kerberos Only)" for the application server.

I've disabled anonymous logon on the IIS of the application server.

My SQL server is set to mixed mode authentication, and my user name have
access as a System Administrator on SQL.

Why do I still get my error? Why is my application server still not passing
credentials to my database server?

Thanks!

20 Oct 2006 1:14 PM

Dominick Baier

have you double checked you are really doing kerberos authentication to the
web server?

you can see that in the security log - search for logon evens - you should
have a authentication package type of Kerberos.

also have a look here:

http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

Show quoteHide quote

> Hi!
>
> I've setup everything to solve this issue but I still get the message
> "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."
>
> I have the tags in webconfig
> <authentication mode="Windows" />
> <identity impersonate="true" />
>
> I have the SQL connection string
>
> "Persist Security Info=False;Integrated Security=SSPI;database=" &
> DBName & ";server=" & ServerName
>
> An my AD administrator has ticked the box "Trust this this computer
> for delegation to any service (Kerberos Only)" for the application
> server.
>
> I've disabled anonymous logon on the IIS of the application server.
>
> My SQL server is set to mixed mode authentication, and my user name
> have access as a System Administrator on SQL.
>
> Why do I still get my error? Why is my application server still not
> passing credentials to my database server?
>
> Thanks!
>

20 Oct 2006 1:51 PM

mgk

Dominick,

I'm red in the face. I found another post you took part in and you directed
the person to the article as well.

I that article it says the CLIENT should log of to clear Kerberos
credentials....I rebooted my server but never thought the client has role.

When I logged off and logged back on it worked. I came back to this site to
tell everyone to ignore me, and here you are pointing me to the same place!

Thank You and have a nice weekend!

Show quoteHide quote

"Dominick Baier" wrote:

> have you double checked you are really doing kerberos authentication to the
> web server?
>
> you can see that in the security log - search for logon evens - you should
> have a authentication package type of Kerberos.
>
> also have a look here:
>
> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx
>
> ---
> Dominick Baier, DevelopMentor
> http://www.leastprivilege.com
>
> > Hi!
> >
> > I've setup everything to solve this issue but I still get the message
> > "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."
> >
> > I have the tags in webconfig
> > <authentication mode="Windows" />
> > <identity impersonate="true" />
> >
> > I have the SQL connection string
> >
> > "Persist Security Info=False;Integrated Security=SSPI;database=" &
> > DBName & ";server=" & ServerName
> >
> > An my AD administrator has ticked the box "Trust this this computer
> > for delegation to any service (Kerberos Only)" for the application
> > server.
> >
> > I've disabled anonymous logon on the IIS of the application server.
> >
> > My SQL server is set to mixed mode authentication, and my user name
> > have access as a System Administrator on SQL.
> >
> > Why do I still get my error? Why is my application server still not
> > passing credentials to my database server?
> >
> > Thanks!
> >
>
>
>