Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

impersonation using kerberos

0 views
Skip to first unread message

Laurence

unread,
Oct 17, 2005, 10:26:55 AM10/17/05
to
Hi,

I have been pulling my hair out for ages on this one, so please help.

I am trying to connect to a SQL server throu IIS using impersonation.

I am sure I have done 99% of what is needed to do this and still can not get
it to work.

So what have I done.

I have a pure 2003 domain
I have DNS configured and working (as far as I can see correctly)
I have set all the computers to be able to delegat
I have set all the computer accounts to be able to delegate
I have a web site based in windows sharepoint services that works quite
happily when only doing a single hop.

However when I try to do a double hop I get the dreaded 'Login failed for
user (null)' - imlpying its a double hop issue.

I have set SPN's (I think) for all services and users.

However when using the Microsoft AuthDiag diagnostic tool, I get an error
saying 'Service prinsipal name (SPN) for user 'MyDomain\MyUser' not found
inactive directory'

I have sorted all other imperonation error messages but not this one.

If I look at the 'MyDomain\MyUser' using ADSI edit the servicePrincipalName
field contains

HOST/MyUser
HOST/MyUser.MyDomain
HTTP/MyIISMachine.MyDomain.co.uk

So is it that

1). The SPN is wrong - if so what should it be
2). The spn is correct and the diag too is reporting a different error?

Bernard Cheah [MVP]

unread,
Oct 17, 2005, 11:03:35 PM10/17/05
to
Try this ?
HOW TO: Troubleshoot Kerberos-Related Issues in IIS
http://support.microsoft.com/?id=326985

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/


"Laurence" <lauren...@silversands.co.uk> wrote in message
news:ec%237Uby0...@TK2MSFTNGP12.phx.gbl...

Ken Schaefer

unread,
Oct 18, 2005, 12:15:08 AM10/18/05
to
Hi,

When you install Sharepoint (any version), it changes the IIS configuration
so that NTLM is the only offered authN mechanism. Have you manually changed
this back to allow Kerberos authN to occur?

Cheers
Ken

"Laurence" <lauren...@silversands.co.uk> wrote in message
news:ec%237Uby0...@TK2MSFTNGP12.phx.gbl...

: Hi,

:
:
:
:
:
:
:


Laurence

unread,
Oct 18, 2005, 3:33:48 AM10/18/05
to
Thanks for that Ken,

Yes I have used the adsutil.vbs to set the NTAuthenticationProvider to
Negotiate,NTLM

But that does not explain why the AuthDiag tool can not find the SPN my IIS
App Pool is running under.

"Ken Schaefer" <kenR...@THISadOpenStatic.com> wrote in message
news:unGOJq50...@TK2MSFTNGP15.phx.gbl...

Ken Schaefer

unread,
Oct 18, 2005, 10:03:08 PM10/18/05
to
Hi,

That SPN looks correct to me.

Another thing - I assume you are accessing the site via the FQDN you
registered using SetSPN? If so, did you add the website to IE's Intranet
security zone? IE will not attempt Kerberos authN for sites that are in the
Internet security zone.

Cheers
Ken

"Laurence" <lauren...@silversands.co.uk> wrote in message

news:eZOwIZ7...@tk2msftngp13.phx.gbl...
: Thanks for that Ken,

: > :
: > :
: > :
: > :
: >
: >
:
:


Laurence

unread,
Oct 20, 2005, 4:04:10 AM10/20/05
to
Thanks again Ken,

I didn't know IE would not even attempt kerberos in Internet Zone

but I am running trusted, so no cookie (excuse the pun), any more thoughts
greatfully recieved.

"Ken Schaefer" <kenR...@THISadOpenStatic.com> wrote in message

news:eewaCFF1...@TK2MSFTNGP10.phx.gbl...

Laurence

unread,
Oct 20, 2005, 4:29:19 AM10/20/05
to
One the I have noticed is that running the AuthDiag tool on the SQL box says
that the Domain\IIS_WPG group does not have 'Impersonate a client after
authentication' priviledges. This is a group policy setting - so how do i
set this for a domain\group on a specific server


"Ken Schaefer" <kenR...@THISadOpenStatic.com> wrote in message

news:eewaCFF1...@TK2MSFTNGP10.phx.gbl...

Ken Schaefer

unread,
Oct 20, 2005, 10:44:13 PM10/20/05
to
You will need to change the group policy object (or set another GPO at a
lower level that overrides the higher level one).

You can set this in local security policy (Start -> Run -> Secedit.msc, and
look in the User Rights Assignment node), however any changes you make to
local security policy will be overriden by contradictory Group Policy
settings.

Cheers
Ken

"Laurence" <lauren...@silversands.co.uk> wrote in message

news:eyMdfBV1...@TK2MSFTNGP12.phx.gbl...
: One the I have noticed is that running the AuthDiag tool on the SQL box

: > : > :
: > : >
: > : >
: > :
: > :
: >
: >
:
:


Ken Schaefer

unread,
Oct 20, 2005, 10:47:00 PM10/20/05
to
I'll need to check about Trusted Sites zone. Try the Internet zone instead.

The reason is that Kerberos AuthN requires the client to contact the
Kerberos KDC (Key Distribution Center) to get the TGT (Ticket Granting
Ticket) and Service Tickets. In the Windows world, the KDC lives on the
domain controllers in the domain. Now, in an Internet scenario, how is the
client going to contact the DC? (a) Most DCs are blocked off by firewalls
from the internet and (b) the client needs to know about the appropriate DNS
server to contact (to look in the _msdcs zone) - public DNS servers do not
have this information. So, Kerberos will almost always fail in an Internet
scenario, so IE doesn't even attempt it. I'm not sure that an attempt will
be made in the Trusted Sites zone either, since TS doesn't automatically
equal "intranet"

Cheers
Ken

"Laurence" <lauren...@silversands.co.uk> wrote in message

news:%23HB6bzU...@TK2MSFTNGP10.phx.gbl...
: Thanks again Ken,

: > : > :
: > : >
: > : >
: > :
: > :
: >
: >
:
:


0 new messages