|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Problem with Impersonation / Delegationwork. When the IIS application is trying to connect to a remote SQL Server, I'm getting NTLM authentication instead of Kerberos, so causing my delegation to fail, and I can't see why. My test enviroment is a Virtual Server 2005 R2, hosting 3 Win2003 Servers and the domain is called TEST.LOCAL. The first Win2003 is called OLYMPUS and hosts the Active Directory. The AD is now in Win2003 only mode. The 2nd Win2003 is called HADES and is running IIS6.0 and SQL Server. HADES has been set as "Trusted for Delegation" to any service (Kerberos only). The 3rd Win2003 is called ZEUS and is running SQL Server. HADES is hosting an ASP.Net 2.0 web page, which makes a SQL connection to both HADES and ZEUS. The web page / site is set for Intergrated Security only and the ASP.Net Impersonate is turned on. The web page is in the default Application Pool which is running under the local Network Service account. This account is set locally to be both "Act as OS" and "Trusted for delegation". When accessing the web page from HADES as http://localhost/SQLTest, both SQL Server connections are made. I do realise that this isn't really delegation, but it shows me that the Impersonation is working and that the user is allowed to connect to all the services that is requires. When accessing the web page from any of the machines as http://Hades/SQLTest, the SQL Server connection to ZEUS fails. I've checked the Security Event Log on ZEUS and can see that a connection is being made as the Anonymous user and using NTLM. I have checked the SPN for both ZEUS and HADES. Both as showing the SQL Server default instances that I'm trying to connect to. Neither SQL Server is using a domain account, so these are the auto-registered SPN. I can't see a HTTP SPN for ZEUS, but I'm assuming that as I'm using the NETWORK SERVICE to run the application pool that this is not a problem. So, does anyone have any ideas as to what I need to do next? Thanks in advance, Al > When accessing the web page from any of the machines as What authentication mechanism is being used to authenticate to Hades?> http://Hades/SQLTest, the SQL Server connection to ZEUS fails. I've > checked > the Security Event Log on ZEUS and can see that a connection is being made > as > the Anonymous user and using NTLM. http://www.adopenstatic.com/cs/blogs/ken/archive/2006/08/02/194.aspx are some ways you can check. If Kerberos is being used, we need to figure out why delegation is failing. If NTLM is being used, we need to figure out why Kerberos is not being used. Cheers Ken Show quoteHide quote "Al" <A*@discussions.microsoft.com> wrote in message news:A3ED3BD4-AA36-4893-9D06-D3C2BF89FA6D@microsoft.com... > I've tried setting up Impersonation with Delegation and I can't get it to > work. When the IIS application is trying to connect to a remote SQL > Server, > I'm getting NTLM authentication instead of Kerberos, so causing my > delegation > to fail, and I can't see why. > > My test enviroment is a Virtual Server 2005 R2, hosting 3 Win2003 Servers > and the domain is called TEST.LOCAL. The first Win2003 is called OLYMPUS > and > hosts the Active Directory. The AD is now in Win2003 only mode. > The 2nd Win2003 is called HADES and is running IIS6.0 and SQL Server. > HADES > has been set as "Trusted for Delegation" to any service (Kerberos only). > The 3rd Win2003 is called ZEUS and is running SQL Server. > > HADES is hosting an ASP.Net 2.0 web page, which makes a SQL connection to > both HADES and ZEUS. The web page / site is set for Intergrated Security > only > and the ASP.Net Impersonate is turned on. The web page is in the default > Application Pool which is running under the local Network Service account. > This account is set locally to be both "Act as OS" and "Trusted for > delegation". > > When accessing the web page from HADES as http://localhost/SQLTest, both > SQL > Server connections are made. I do realise that this isn't really > delegation, > but it shows me that the Impersonation is working and that the user is > allowed to connect to all the services that is requires. > > When accessing the web page from any of the machines as > http://Hades/SQLTest, the SQL Server connection to ZEUS fails. I've > checked > the Security Event Log on ZEUS and can see that a connection is being made > as > the Anonymous user and using NTLM. > > I have checked the SPN for both ZEUS and HADES. Both as showing the SQL > Server default instances that I'm trying to connect to. Neither SQL Server > is > using a domain account, so these are the auto-registered SPN. > > I can't see a HTTP SPN for ZEUS, but I'm assuming that as I'm using the > NETWORK SERVICE to run the application pool that this is not a problem. > > So, does anyone have any ideas as to what I need to do next? > > Thanks in advance, > > Al > Hi Ken,
Thanks for your post. It's working now, and I'm only willing to put a £1 bet onto what the cure was. But to answer your question, the initial connection, from IE to IIS was made using Kerberos authentication. What I think fixed it was running "aspnet_iisreg -r" on Hades. But also tonight I switched the SQLServer on Zeus from a Local System to a domain account, deleted the old SPN and added new SPN for the Zeus SQL Server, and then switched back to Local System again, which might also have had an effect. Thanks again, Al Show quoteHide quote "Ken Schaefer" wrote: > > When accessing the web page from any of the machines as > > http://Hades/SQLTest, the SQL Server connection to ZEUS fails. I've > > checked > > the Security Event Log on ZEUS and can see that a connection is being made > > as > > the Anonymous user and using NTLM. > > What authentication mechanism is being used to authenticate to Hades? > http://www.adopenstatic.com/cs/blogs/ken/archive/2006/08/02/194.aspx are > some ways you can check. > > If Kerberos is being used, we need to figure out why delegation is failing. > If NTLM is being used, we need to figure out why Kerberos is not being used. > > Cheers > Ken > > > "Al" <A*@discussions.microsoft.com> wrote in message > news:A3ED3BD4-AA36-4893-9D06-D3C2BF89FA6D@microsoft.com... > > I've tried setting up Impersonation with Delegation and I can't get it to > > work. When the IIS application is trying to connect to a remote SQL > > Server, > > I'm getting NTLM authentication instead of Kerberos, so causing my > > delegation > > to fail, and I can't see why. > > > > My test enviroment is a Virtual Server 2005 R2, hosting 3 Win2003 Servers > > and the domain is called TEST.LOCAL. The first Win2003 is called OLYMPUS > > and > > hosts the Active Directory. The AD is now in Win2003 only mode. > > The 2nd Win2003 is called HADES and is running IIS6.0 and SQL Server. > > HADES > > has been set as "Trusted for Delegation" to any service (Kerberos only). > > The 3rd Win2003 is called ZEUS and is running SQL Server. > > > > HADES is hosting an ASP.Net 2.0 web page, which makes a SQL connection to > > both HADES and ZEUS. The web page / site is set for Intergrated Security > > only > > and the ASP.Net Impersonate is turned on. The web page is in the default > > Application Pool which is running under the local Network Service account. > > This account is set locally to be both "Act as OS" and "Trusted for > > delegation". > > > > When accessing the web page from HADES as http://localhost/SQLTest, both > > SQL > > Server connections are made. I do realise that this isn't really > > delegation, > > but it shows me that the Impersonation is working and that the user is > > allowed to connect to all the services that is requires. > > > > When accessing the web page from any of the machines as > > http://Hades/SQLTest, the SQL Server connection to ZEUS fails. I've > > checked > > the Security Event Log on ZEUS and can see that a connection is being made > > as > > the Anonymous user and using NTLM. > > > > I have checked the SPN for both ZEUS and HADES. Both as showing the SQL > > Server default instances that I'm trying to connect to. Neither SQL Server > > is > > using a domain account, so these are the auto-registered SPN. > > > > I can't see a HTTP SPN for ZEUS, but I'm assuming that as I'm using the > > NETWORK SERVICE to run the application pool that this is not a problem. > > > > So, does anyone have any ideas as to what I need to do next? > > > > Thanks in advance, > > > > Al > > > > > 
Other interesting topics
Multiple websites in one IIS with Integrated Windows Authentication
IIS6.0 Integrated authentication w/multiple app pools SSLv3 with certificate issued by Intermediate certificae authority How do you get rid of IIS Anonymous Event Logs? IIS security with user and passwords stored in database Create Virtual Directory from DMZ to LAN IIS 5.0 IWA - Really need tips to solve this issue Event ID 560 IIS FrontPage Virtual Sever Administration Site Administration : 401.1 for individual sites Integrated Windows Authentication |
|||||||||||||||||||||||
