RE: kerberos the story so far

Did you get my reply on the message you posted yesterday? I encountered this
same issue, where my IIS front end server could not obtain a kerberos ticket
for the SQL back end. I was getting "Login failed for user 'null'".

It looks like you registered the SPN for the SQL service user account. Did
you make sure you granted the IIS server's domain account permissions to the
database?

To do this, create a new local group on the SQL server. Go into the group
like you are adding a user. In the "Select Users..." window, click the
"Object Types" button and check the "Computers" box and hit OK. Type in the
name of the IIS server below, and click "Check Names" to verify the object,
and hit OK to add the computer to the group. In SQL, simply grant that local
group whatever access rights (public, dbo, etc.) it needs to the database.
Now try to authenticate to the db from the IIS server.

"Laurence" wrote:

> Hi,
>
> I have been pulling my hair out for ages on this one, so please help.
>
> I am trying to connect to a SQL server throu IIS using impersonation.
>
> I am sure I have done 99% of what is needed to do this and still can not get
> it to work.
>
> So what have I done.
>
> I have a pure 2003 domain
> I have DNS configured and working (as far as I can see correctly)
> I have set all the computers to be able to delegat
> I have set all the computer accounts to be able to delegate
> I have a web site based in windows sharepoint services that works quite
> happily when only doing a single hop.
> I have used the adsutil.vbs to set the NTAuthenticationProvider to
> Negotiate,NTLM
> I have made sure the SQL server service account has an SPN
>
> using ADSI edit on the service account user the servicePrincipalName looks
> like this
>
> MSSQLSvc/MYSQLServer.MyDomain.CO.UK:1433
>
> However when I try to do a double hop I get the dreaded 'Login failed for
> user (null)' - imlpying its a double hop issue.
>
> I have set SPN's (I think) for all services and users.
>
> Using the Microsoft AuthDiag diagnostic tool (after much sorting out), I get
> no error messages for keberos authentication. HOORAY!
>
> But I still can't get to the SQL server....AAAAAAAAAAAAHHH
>
> So where from here....
>
> 1). monitoring the IIS connection with the default login, it seems to be
> using Negotiate protocol but defaulting back to NTLM
> 2). If you force a kerberos windows login the IIS seems to use kerberos
>
> bot I still don't know if I am getting a kerberos ticket issued ???
> or
> do I still not have rights from the iis machine \ a user to get to the sql
> server
>
> any assistance appreciated
>
>
>
>
.