"Daniel" <orioncr***@yahoo.com.sg> wrote in message
news:1158289246.653946.280870@i3g2000cwc.googlegroups.com...
> Dear all,
>
> I've created an alias (CName) in DNS for my web server running on IIS
> 6.0.
>
> Web Server FQDN : myweb.domain.com (not using host header)
> Alias for Web Server : kirk.domain.com
>
> A SSL cert has been created from the alias.
>
> Clients will be accessing the backend server, SQL2K, Using Integrated
> Windows Authentication.
>
> The webserver app pool is running under NETWORK SERVICE.
> The MSSQLServer window service is running under a <SQL Service Account>
>
> I've getting the following error when trying the web server from the
> alias. https://kirk.domain.com
>
> "The underlying connection was closed: Could not establish trust
> relationship with remote server.
> Description: An unhandled exception occurred during the execution of
> the current web request. Please review the stack trace for more
> information about the error and where it originated in the code.
>
> Exception Details: System.Net.WebException: The underlying connection
> was closed: Could not establish trust relationship with remote server."
>
>
> I've been told it's a SPN issue. The SQL Server is unable to locate the
> webserver.
>
> I've tried setting the SPN as such.
> setspn -a HTTP/kirk <SQL Service Account>
> setspn -a HTTP/kirk.mydomain.com <SQL Service Account>
> setspn -a HOST/kirk <SQL Service Account>
> setspn -a HOST/kirk.mydomain.com <SQL Service Account>
>
> It doesn't work.
>
> setspn -l <SQL Server Account> shows the following:
> HTTP/kirk
> HTTP/kirk.mydomain.com
> HOST/kirk
> HOST/kirk.mydomain.com
> MSSQLSvc/sqlserver.mydomain.com:1433
>
>
> Questions.
>
> The web server has been trusted for delegation to the MSSQLSvc SPN. Do
> I need to add "HTTP" service to the list?
>
> Do I need to set the <SQL Service Account> to be trusted for
> delegation?
>
> Any input will be greatly appreciated!
>
> Regards,
> Daniel
>

> delegation working. Since you are running the web application pool under
> "Network Service", you can't register those SPNs under the SQL Server's
> Service account. Those SPNs must be registered under the web server's
> machine account.
>
> The *only* SPNs you should have registered under the SQL Server's service
> account is the MSSQL SPN. That SPN should be registered under the SQL
> Server's service account and *removed* (if required) from the SQL Server's
> machine account.
>
> Lastly, since the SQL Server is not being used for delegation anywhere,
> it's service account does not need to be trusted for delegation. Instead,
> the *web server's* machine account must be trusted for delegation (since
> it is the one getting the Kerberos service ticket on behalf of the end
> user, in order to connect back to the SQL Server).
>
> Cheers
> Ken
>
>
>
> "Daniel" <orioncr***@yahoo.com.sg> wrote in message
> news:1158289246.653946.280870@i3g2000cwc.googlegroups.com...
>> Dear all,
>>
>> I've created an alias (CName) in DNS for my web server running on IIS
>> 6.0.
>>
>> Web Server FQDN : myweb.domain.com (not using host header)
>> Alias for Web Server : kirk.domain.com
>>
>> A SSL cert has been created from the alias.
>>
>> Clients will be accessing the backend server, SQL2K, Using Integrated
>> Windows Authentication.
>>
>> The webserver app pool is running under NETWORK SERVICE.
>> The MSSQLServer window service is running under a <SQL Service Account>
>>
>> I've getting the following error when trying the web server from the
>> alias. https://kirk.domain.com
>>
>> "The underlying connection was closed: Could not establish trust
>> relationship with remote server.
>> Description: An unhandled exception occurred during the execution of
>> the current web request. Please review the stack trace for more
>> information about the error and where it originated in the code.
>>
>> Exception Details: System.Net.WebException: The underlying connection
>> was closed: Could not establish trust relationship with remote server."
>>
>>
>> I've been told it's a SPN issue. The SQL Server is unable to locate the
>> webserver.
>>
>> I've tried setting the SPN as such.
>> setspn -a HTTP/kirk <SQL Service Account>
>> setspn -a HTTP/kirk.mydomain.com <SQL Service Account>
>> setspn -a HOST/kirk <SQL Service Account>
>> setspn -a HOST/kirk.mydomain.com <SQL Service Account>
>>
>> It doesn't work.
>>
>> setspn -l <SQL Server Account> shows the following:
>> HTTP/kirk
>> HTTP/kirk.mydomain.com
>> HOST/kirk
>> HOST/kirk.mydomain.com
>> MSSQLSvc/sqlserver.mydomain.com:1433
>>
>>
>> Questions.
>>
>> The web server has been trusted for delegation to the MSSQLSvc SPN. Do
>> I need to add "HTTP" service to the list?
>>
>> Do I need to set the <SQL Service Account> to be trusted for
>> delegation?
>>
>> Any input will be greatly appreciated!
>>
>> Regards,
>> Daniel
>>
>
>

"Daniel Tan" <kenghua@NOSPAMbiz-process.com> wrote in message
news:eCQ%23J%23t2GHA.324@TK2MSFTNGP05.phx.gbl...
> Hi Ken
>
> Much thanks for the input!
>
> This is the confirmation I'm looking for.
>
> Cheers!
>
>
> "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message
> news:u9qQ7Ps2GHA.1304@TK2MSFTNGP05.phx.gbl...
>> Hi,
>>
>> You have created a number of duplicate ,
> SPNs, and that will break Kerberos
>> delegation working. Since you are running the web application pool under
>> "Network Service", you can't register those SPNs under the SQL Server's
>> Service account. Those SPNs must be registered under the web server's
>> machine account.
>>
>> The *only* SPNs you should have registered under the SQL Server's service
>> account is the MSSQL SPN. That SPN should be registered under the SQL
>> Server's service account and *removed* (if required) from the SQL
>> Server's machine account.
>>
>> Lastly, since the SQL Server is not being used for delegation anywhere,
>> it's service account does not need to be trusted for delegation. Instead,
>> the *web server's* machine account must be trusted for delegation (since
>> it is the one getting the Kerberos service ticket on behalf of the end
>> user, in order to connect back to the SQL Server).
>>
>> Cheers
>> Ken
>>
>>
>>
>> "Daniel" <orioncr***@yahoo.com.sg> wrote in message
>> news:1158289246.653946.280870@i3g2000cwc.googlegroups.com...
>>> Dear all,
>>>
>>> I've created an alias (CName) in DNS for my web server running on IIS
>>> 6.0.
>>>
>>> Web Server FQDN : myweb.domain.com (not using host header)
>>> Alias for Web Server : kirk.domain.com
>>>
>>> A SSL cert has been created from the alias.
>>>
>>> Clients will be accessing the backend server, SQL2K, Using Integrated
>>> Windows Authentication.
>>>
>>> The webserver app pool is running under NETWORK SERVICE.
>>> The MSSQLServer window service is running under a <SQL Service Account>
>>>
>>> I've getting the following error when trying the web server from the
>>> alias. https://kirk.domain.com
>>>
>>> "The underlying connection was closed: Could not establish trust
>>> relationship with remote server.
>>> Description: An unhandled exception occurred during the execution of
>>> the current web request. Please review the stack trace for more
>>> information about the error and where it originated in the code.
>>>
>>> Exception Details: System.Net.WebException: The underlying connection
>>> was closed: Could not establish trust relationship with remote server."
>>>
>>>
>>> I've been told it's a SPN issue. The SQL Server is unable to locate the
>>> webserver.
>>>
>>> I've tried setting the SPN as such.
>>> setspn -a HTTP/kirk <SQL Service Account>
>>> setspn -a HTTP/kirk.mydomain.com <SQL Service Account>
>>> setspn -a HOST/kirk <SQL Service Account>
>>> setspn -a HOST/kirk.mydomain.com <SQL Service Account>
>>>
>>> It doesn't work.
>>>
>>> setspn -l <SQL Server Account> shows the following:
>>> HTTP/kirk
>>> HTTP/kirk.mydomain.com
>>> HOST/kirk
>>> HOST/kirk.mydomain.com
>>> MSSQLSvc/sqlserver.mydomain.com:1433
>>>
>>>
>>> Questions.
>>>
>>> The web server has been trusted for delegation to the MSSQLSvc SPN. Do
>>> I need to add "HTTP" service to the list?
>>>
>>> Do I need to set the <SQL Service Account> to be trusted for
>>> delegation?
>>>
>>> Any input will be greatly appreciated!
>>>
>>> Regards,
>>> Daniel
>>>
>>
>>
>
>

"Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message
news:uADR8$t2GHA.2176@TK2MSFTNGP04.phx.gbl...
> Hi,
>
> Forgot to mention - this document is a good starting point that outlines
> common scenarios and what you need to do to get them working:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
>
> Cheers
> Ken
>
>
> "Daniel Tan" <kenghua@NOSPAMbiz-process.com> wrote in message
> news:eCQ%23J%23t2GHA.324@TK2MSFTNGP05.phx.gbl...
>> Hi Ken
>>
>> Much thanks for the input!
>>
>> This is the confirmation I'm looking for.
>>
>> Cheers!
>>
>>
>> "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message
>> news:u9qQ7Ps2GHA.1304@TK2MSFTNGP05.phx.gbl...
>>> Hi,
>>>
>>> You have created a number of duplicate ,
>> SPNs, and that will break Kerberos
>>> delegation working. Since you are running the web application pool under
>>> "Network Service", you can't register those SPNs under the SQL Server's
>>> Service account. Those SPNs must be registered under the web server's
>>> machine account.
>>>
>>> The *only* SPNs you should have registered under the SQL Server's
>>> service account is the MSSQL SPN. That SPN should be registered under
>>> the SQL Server's service account and *removed* (if required) from the
>>> SQL Server's machine account.
>>>
>>> Lastly, since the SQL Server is not being used for delegation anywhere,
>>> it's service account does not need to be trusted for delegation.
>>> Instead, the *web server's* machine account must be trusted for
>>> delegation (since it is the one getting the Kerberos service ticket on
>>> behalf of the end user, in order to connect back to the SQL Server).
>>>
>>> Cheers
>>> Ken
>>>
>>>
>>>
>>> "Daniel" <orioncr***@yahoo.com.sg> wrote in message
>>> news:1158289246.653946.280870@i3g2000cwc.googlegroups.com...
>>>> Dear all,
>>>>
>>>> I've created an alias (CName) in DNS for my web server running on IIS
>>>> 6.0.
>>>>
>>>> Web Server FQDN : myweb.domain.com (not using host header)
>>>> Alias for Web Server : kirk.domain.com
>>>>
>>>> A SSL cert has been created from the alias.
>>>>
>>>> Clients will be accessing the backend server, SQL2K, Using Integrated
>>>> Windows Authentication.
>>>>
>>>> The webserver app pool is running under NETWORK SERVICE.
>>>> The MSSQLServer window service is running under a <SQL Service Account>
>>>>
>>>> I've getting the following error when trying the web server from the
>>>> alias. https://kirk.domain.com
>>>>
>>>> "The underlying connection was closed: Could not establish trust
>>>> relationship with remote server.
>>>> Description: An unhandled exception occurred during the execution of
>>>> the current web request. Please review the stack trace for more
>>>> information about the error and where it originated in the code.
>>>>
>>>> Exception Details: System.Net.WebException: The underlying connection
>>>> was closed: Could not establish trust relationship with remote server."
>>>>
>>>>
>>>> I've been told it's a SPN issue. The SQL Server is unable to locate the
>>>> webserver.
>>>>
>>>> I've tried setting the SPN as such.
>>>> setspn -a HTTP/kirk <SQL Service Account>
>>>> setspn -a HTTP/kirk.mydomain.com <SQL Service Account>
>>>> setspn -a HOST/kirk <SQL Service Account>
>>>> setspn -a HOST/kirk.mydomain.com <SQL Service Account>
>>>>
>>>> It doesn't work.
>>>>
>>>> setspn -l <SQL Server Account> shows the following:
>>>> HTTP/kirk
>>>> HTTP/kirk.mydomain.com
>>>> HOST/kirk
>>>> HOST/kirk.mydomain.com
>>>> MSSQLSvc/sqlserver.mydomain.com:1433
>>>>
>>>>
>>>> Questions.
>>>>
>>>> The web server has been trusted for delegation to the MSSQLSvc SPN. Do
>>>> I need to add "HTTP" service to the list?
>>>>
>>>> Do I need to set the <SQL Service Account> to be trusted for
>>>> delegation?
>>>>
>>>> Any input will be greatly appreciated!
>>>>
>>>> Regards,
>>>> Daniel
>>>>
>>>
>>>
>>
>>
>
>