Re: SPN creation

will i need to create an spn for the live sql server service account in order
for the website to access sql using kerberos? This is running under a
specific service account

thanks


"Joe Kaplan" wrote:

Are you needing to have Kerb auth to get Kerb delegation to the SQL backend?
If that's the case, then it is not actually needed to get Kerb auth on the
front end website to get Kerb delegation to the backend if your AD is 2003
native mode or higher. You can use "protocol transition" logon which will
allow users authenticated via NTLM (or something else) to the front end to
use Kerb to access the backend. In the delegation tab you end "allowed to
delegate with any protocol" and configure the service to delegate to SQL.

That said, you can't have two service accounts that use the same host name
for an HTTP service and differ only by port number. The browser doesn't
form port-specific SPNs for HTTP, so this won't work. You'll need an
alternate host name for the second service account or will need to run all
the app pools as the same service account. The SPNs you would want created
on the service account in question would just be HTTP/FQDNofWebSite and
HTTP/shortnameofsite. Note that you really only need SPNs for the addresses
you use.

Kerb auth to SQL should work with the SPNs that get created when SQL is
installed if you run SQL as network service or SYSTEM. I would not
recommend using SYSTEM unless you absolutely have to. Try to run services
under least privilege accounts. SQL itself works fine under Network
Service. In any event, either of those local IDs will translate to the
computer account in the domain for Kerb purposes, so as long as the SQL SPNs
are on that account, Kerb should be fine.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"phill" <phill@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F185038A-38AA-42D0-83FB-B27B75DC5476@xxxxxxxxxxxxxxxx
Hi, Here is hopefully more information:

1 server running 4 websites all running on different ports. 80, 1000, 1001
&
1002

2 of the websites will be connecting to the test sql backend server. 2
websites will be connecting to the live sql server. The developer informs
me
that we need to use kerberos.

only 2 websites are running at the moment. They are both running under 2
seperate service accounts. 1 website connects to the test sql & 1
connects
to the live sql.

what i have done so far:
created 2 SPN's for test service account - HTTP/servername.fqdn &
HTTP/servername

on the test sql i have created the sql service & SPN details are
MSSQLvc/servername.fqdn:port
the sql is running under local system on the test server.

Is what i have done above correct? it seems to work but I also need to do
the for the live website on the same server. This is using a different
service account so if i created the bove bot for a different service
account
would it be classed as a duplicate?

Thanks

Phill

"DaveMo" wrote:

On Feb 10, 4:42 am, phill <ph...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
"phill" wrote:
Hi,

I need to use windows integrated security. The scenario is as
follows:

webserver named server1. On this web server a user has two service
accounts. service account1 & 2. He wants to run the test website on
port
1000, the live wbsite on port 80. these websites also connect to sql
backend
servers. running on port 1199 & 1198.

The backend sql is running as local system account.

I have read the articles on how to set this up but it does not seem
to work.
could anybody help please.

i have managed to get kerberos working when connecting to the test
website,
after when i check the sql backend i get a success audit but the
authentication package is Negotiate. is this correct?



- Hide quoted text -

- Show quoted text -

phill,


There are lots and lots of details missing here, and setting something
up like what you are doing is by neccessity somewhat complicated.
Negotiate is the package for "Windows Integrated Authentication" but
it provides the functionality for both Kerb and NTLM. It depends on
what you are trying to do to know whether you need to know more about
what is happening.

HTH,
Dave



.

Relevant Pages

  • Re: SPN for SSL over common name
    ... you can't register those SPNs under the SQL Server's ... service account is the MSSQL SPN. ... That SPN should be registered under ... Lastly, since the SQL Server is not being used for delegation anywhere, ...
    (microsoft.public.inetserver.iis.security)
  • Cannot Use Non-Administrator Account to Start SQL Server and Force Encryption
    ... I changed the service account of a named instance (product ... a certificate from a Microsft Certificate Server ... the SQL Service. ... SQL Server could not spawn FRunCM thread. ...
    (microsoft.public.sqlserver.security)
  • Re: kerberos SQL service accounts
    ... Also, on the delegation question, you only need to enable delegation on the SQL service account if SQL will be making a call to a remote system on behalf of a remote user it is impersonating. ...
    (microsoft.public.windows.server.active_directory)
  • Re: kerberos SQL service accounts
    ... You'll get the best match of "Kerberos working by default" and good security by deciding to use Network Service as the service account for SQL rather than either System or a fixed domain account. ... The reason for this is that when SQL is installed and configured to be run under either Network Service or System, the installer will actually add the appropriate Kerb SPNs to the domain computer account. ...
    (microsoft.public.windows.server.active_directory)
  • RE: MS SQL, find list of tables
    ... connected to the Access ODBC driver. ... MS SQL, find list of tables ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
    (Pen-Test)
Loading