|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Constrained Delegation Problem: SQL partially delegatedI have set up delegation and IT WORKS to link through to a back end SQL server. However for security reasons I want to limit the services that can be delegated to to MSSQLSvc on the db server. An SPN has been set up for the SQL server account on port 1433. When I swap to constrained delegation a simple asp page with ADO still works, but my main app doesn't. The technologies used are ASP.NET 1.1 (ADO.NET), ASP (ADO), and SQLXML virtual directory. I assume that either I need to enable another port or add another service. Can someone enlighten me? Cheers, James Apologies! Turns out my ASP code was pointing at one db server and
asp.net was pointing at a different db server. Sorry!! James JimLad wrote: Show quoteHide quote > Hi, > > I have set up delegation and IT WORKS to link through to a back end SQL > server. > > However for security reasons I want to limit the services that can be > delegated to to MSSQLSvc on the db server. An SPN has been set up for > the SQL server account on port 1433. > > When I swap to constrained delegation a simple asp page with ADO still > works, but my main app doesn't. The technologies used are ASP.NET 1.1 > (ADO.NET), ASP (ADO), and SQLXML virtual directory. > > I assume that either I need to enable another port or add another > service. Can someone enlighten me? > > Cheers, > > James Glad you got it working. Kerberos service tickets are based on the SPN (as
you have discovered). the SPN contains a name (NetBIOS, FQDN etc) only. It does not differentiate between server technologies (e.g. ASP and ASP.NET pages) for example. If your ASP page is working fine, but your ASP.NET one isn't, then something else is the matter. Cheers Ken Show quoteHide quote "JimLad" <jamesdbi***@yahoo.co.uk> wrote in message news:1163783113.460418.276160@m73g2000cwd.googlegroups.com... > Apologies! Turns out my ASP code was pointing at one db server and > asp.net was pointing at a different db server. Sorry!! > > James > > JimLad wrote: > >> Hi, >> >> I have set up delegation and IT WORKS to link through to a back end SQL >> server. >> >> However for security reasons I want to limit the services that can be >> delegated to to MSSQLSvc on the db server. An SPN has been set up for >> the SQL server account on port 1433. >> >> When I swap to constrained delegation a simple asp page with ADO still >> works, but my main app doesn't. The technologies used are ASP.NET 1.1 >> (ADO.NET), ASP (ADO), and SQLXML virtual directory. >> >> I assume that either I need to enable another port or add another >> service. Can someone enlighten me? >> >> Cheers, >> >> James > 
Other interesting topics
Virtual Directory to a remote UNC not working properly
Force Relogin. IIS6, ASP.NET app, IE6+ browser credentials not going to IIS automatically aspnet_isapi.dll security limit access to all but 1 file Impersonation and Delegation with ASP.NET 2.0 on 2 Servers NTLM Authentication on IIS 6.0 Access Denied connecting to remote share through IIS Security while publishing an website in Frontpage Security Alert: The Name of the Security Certificate Is Invalid or Does Not Match the Name of the Si Non-default website is asking for username and password: why? |
|||||||||||||||||||||||
