RE: impersonation using kerberos
- From: "Brandon McGarvey" <BrandonMcGarvey@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 17 Oct 2005 08:50:06 -0700
Assuming this is an ASP.NET front end, where ASP.NET runs as NETWORK SERVICE
(2003)... Make sure you have granted the IIS computer account premissions to
the database. Since IIS needs to authenticate, it cannot authenticate with
the local NETWORK SERVICE account. You need to grant the computer's domain
account access to the database. If you have done this, then check the
following.
Is the SQL instance running under a domain user account or SYSTEM? If it is
running under a domain user account, you need to register an SPN for the SQL
instance to that domain user account. I had this problem with a SQL/IIS pair
I had worked on. Once I registered the SQL instance to the domain user
account of which the SQL service was running under, the IIS server was able
to authenticate using its computer account (IISSERVER$).
Use setspn.exe to list SPNs registered to domain user "SQLUser":
setspn.exe -L DOMAIN\SQLUser
To add a SQL SPN:
setspn.exe -A MSSQLSvc/SQLSERVER.domain.com:1433 DOMAIN\SQLUser
{Assigns SQN SQL instance on port 1433 to DOMAIN user "SQLUser"}
"Laurence" wrote:
> Hi,
>
> I have been pulling my hair out for ages on this one, so please help.
>
> I am trying to connect to a SQL server throu IIS using impersonation.
>
> I am sure I have done 99% of what is needed to do this and still can not get
> it to work.
>
> So what have I done.
>
> I have a pure 2003 domain
> I have DNS configured and working (as far as I can see correctly)
> I have set all the computers to be able to delegat
> I have set all the computer accounts to be able to delegate
> I have a web site based in windows sharepoint services that works quite
> happily when only doing a single hop.
>
> However when I try to do a double hop I get the dreaded 'Login failed for
> user (null)' - imlpying its a double hop issue.
>
> I have set SPN's (I think) for all services and users.
>
> However when using the Microsoft AuthDiag diagnostic tool, I get an error
> saying 'Service prinsipal name (SPN) for user 'MyDomain\MyUser' not found
> inactive directory'
>
> I have sorted all other imperonation error messages but not this one.
>
> If I look at the 'MyDomain\MyUser' using ADSI edit the servicePrincipalName
> field contains
>
> HOST/MyUser
> HOST/MyUser.MyDomain
> HTTP/MyIISMachine.MyDomain.co.uk
>
> So is it that
>
> 1). The SPN is wrong - if so what should it be
> 2). The spn is correct and the diag too is reporting a different error?
>
>
>
.
- Follow-Ups:
- Re: impersonation using kerberos
- From: Laurence
- Re: impersonation using kerberos
- Prev by Date: Re: What resources does my security group have access to?
- Next by Date: The browser was unable to retrieve a list of servers...
- Previous by thread: Re: Users cannot change password
- Next by thread: Re: impersonation using kerberos
- Index(es):
Relevant Pages
|
