Delegation: IIS Server setup in typical 3-tier scenario.

microsoft.public.inetserver.iis.security

3 Nov 2006 12:23 PM

JimLad

Hi,

Sorry to be asking the same question that everybody probably asks...
Setting up delegation is
killing me... Typical IE6/IIS6/SQLServer2000 3-tier Integrated Windows
Authentication problem - I've got the double hop problem when using
Impersonation, so I'm trying to set up delegation. Getting
Authenticated using NTLM not Kerberos on the Web Server. IE6 is sending
the Negotiate header.

SQL Server 2000 SP3 on Server 2003. SQL Account and Computer both
Trusted for Delegation. Given SPN.

IIS 6.0 on Server 2003. Kerberos enabled. Computer Trusted for
Delegation.
Integrated Windows Authentication selected. Default application pool.
Application on default website.
IWAN_<computername> local account is running as part of operating
system and trusted for delegation. (Does anything need to be SPN'd?)

ASP App using trusted ADO connections (impersonation by default as
classic ASP) . ASP.NET as well using ADO.NET trusted connection.

User (me) Trusted for Delegation on a client XPSP2 machine. IE6
Kerberos enabled. Trusted Site. No Proxy.

I've been through a lot of the Microsoft documentation.
Incidently the most useful was:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx#ETUAG

Some specific questions: -

I have seen a lot written about using FQDNs for Kerberos.
Does this mean that in my ADO and ADO.NET connection strings I need to
specify a fuller ServerName?

Can I use IP addresses and ports with kerberos?
i.e. I think I can use these:
http://computername.domainname
http://hostname
but can I use these?
http://IPAddress
http://computername.domainname:81
http://computername

So I am a little unclear on what SPNs I need to register for IIS, ASP,
ASP.NET etc. Currently only the 2 server SPNs (FQDN and NetBIOS) are
registered. And also what accounts I need to change security settings
on?

Oh and while we're talking about this, I suppose you can use delegation

with SQL Virtual Directories? Otherwise this is all pointless.

Cheers,

James

7 Nov 2006 10:30 AM

Ken Schaefer

There are a number of issues here, and you need to work your way through
them from beginning to end to determine where the problem actually lies.

Firstly, you can't have "duplicate" SPNs. You mentioned that you "gave" some
hosts some SPNs - you should not do that unless you know that the service
doesn't already have an SPN and/or you need to change the existing SPN. If
you create duplicate SPNs then the KDC doesn't know which computer/user
account's password should be used to encrypt the service ticket (check my
blog - I will post something in more detail soon, but I have a post up right
now explaining the basics of service tickets).

Secondly - work your way through the chain:
a) Are you sure IE is authenticating using Kerberos and not NTLM (e.g. use a
packet capture tool such as Ethereal to verify this, or use the security
event logs). Just because IIS sends a Negotiate header does not mean that
Kerberos is being used - it just means that an API is used to determine what
protocols the browser and server both support.

b) Have you changed the application pool identity that your worker process
is running under? If so, you will need to create/change the SPN for alll
FQDNs that that app pool services. Additionally, if you are accessing the
website by a FQDN that is not servername.domain.com (e.g. it is
someAlias.domain.com) then you will need to create an SPN for that site.
Register it under the computer or user account that is being used to host
the worker process that the website it in

c) Next, check that IIS is authenticating using a user account to SQL
server, and not "anonymous" or "null".

Cheers
Ken

Show quoteHide quote

"JimLad" <jamesdbi***@yahoo.co.uk> wrote in message
news:1162556628.644584.286900@h48g2000cwc.googlegroups.com...
> Hi,
>
> Sorry to be asking the same question that everybody probably asks...
> Setting up delegation is
> killing me... Typical IE6/IIS6/SQLServer2000 3-tier Integrated Windows
> Authentication problem - I've got the double hop problem when using
> Impersonation, so I'm trying to set up delegation. Getting
> Authenticated using NTLM not Kerberos on the Web Server. IE6 is sending
> the Negotiate header.
>
> SQL Server 2000 SP3 on Server 2003. SQL Account and Computer both
> Trusted for Delegation. Given SPN.
>
> IIS 6.0 on Server 2003. Kerberos enabled. Computer Trusted for
> Delegation.
> Integrated Windows Authentication selected. Default application pool.
> Application on default website.
> IWAN_<computername> local account is running as part of operating
> system and trusted for delegation. (Does anything need to be SPN'd?)
>
> ASP App using trusted ADO connections (impersonation by default as
> classic ASP) . ASP.NET as well using ADO.NET trusted connection.
>
> User (me) Trusted for Delegation on a client XPSP2 machine. IE6
> Kerberos enabled. Trusted Site. No Proxy.
>
> I've been through a lot of the Microsoft documentation.
> Incidently the most useful was:
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx#ETUAG
>
> Some specific questions: -
>
> I have seen a lot written about using FQDNs for Kerberos.
> Does this mean that in my ADO and ADO.NET connection strings I need to
> specify a fuller ServerName?
>
> Can I use IP addresses and ports with kerberos?
> i.e. I think I can use these:
> http://computername.domainname
> http://hostname
> but can I use these?
> http://IPAddress
> http://computername.domainname:81
> http://computername
>
> So I am a little unclear on what SPNs I need to register for IIS, ASP,
> ASP.NET etc. Currently only the 2 server SPNs (FQDN and NetBIOS) are
> registered. And also what accounts I need to change security settings
> on?
>
> Oh and while we're talking about this, I suppose you can use delegation
>
> with SQL Virtual Directories? Otherwise this is all pointless.
>
> Cheers,
>
> James
>

Thread options