L
Laurence
Hi,
I have been pulling my hair out for ages on this one, so please help.
I am trying to connect to a SQL server throu IIS using impersonation.
I am sure I have done 99% of what is needed to do this and still can not get
it to work.
So what have I done.
I have a pure 2003 domain
I have DNS configured and working (as far as I can see correctly)
I have set all the computers to be able to delegat
I have set all the computer accounts to be able to delegate
I have a web site based in windows sharepoint services that works quite
happily when only doing a single hop.
I have used the adsutil.vbs to set the NTAuthenticationProvider to
Negotiate,NTLM
I have made sure the SQL server service account has an SPN
using ADSI edit on the service account user the servicePrincipalName looks
like this
MSSQLSvc/MYSQLServer.MyDomain.CO.UK:1433
However when I try to do a double hop I get the dreaded 'Login failed for
user (null)' - imlpying its a double hop issue.
I have set SPN's (I think) for all services and users.
Using the Microsoft AuthDiag diagnostic tool (after much sorting out), I get
no error messages for keberos authentication. HOORAY!
But I still can't get to the SQL server....AAAAAAAAAAAAHHH
So where from here....
1). monitoring the IIS connection with the default login, it seems to be
using Negotiate protocol but defaulting back to NTLM
2). If you force a kerberos windows login the IIS seems to use kerberos
bot I still don't know if I am getting a kerberos ticket issued ???
or
do I still not have rights from the iis machine \ a user to get to the sql
server
any assistance appreciated
I have been pulling my hair out for ages on this one, so please help.
I am trying to connect to a SQL server throu IIS using impersonation.
I am sure I have done 99% of what is needed to do this and still can not get
it to work.
So what have I done.
I have a pure 2003 domain
I have DNS configured and working (as far as I can see correctly)
I have set all the computers to be able to delegat
I have set all the computer accounts to be able to delegate
I have a web site based in windows sharepoint services that works quite
happily when only doing a single hop.
I have used the adsutil.vbs to set the NTAuthenticationProvider to
Negotiate,NTLM
I have made sure the SQL server service account has an SPN
using ADSI edit on the service account user the servicePrincipalName looks
like this
MSSQLSvc/MYSQLServer.MyDomain.CO.UK:1433
However when I try to do a double hop I get the dreaded 'Login failed for
user (null)' - imlpying its a double hop issue.
I have set SPN's (I think) for all services and users.
Using the Microsoft AuthDiag diagnostic tool (after much sorting out), I get
no error messages for keberos authentication. HOORAY!
But I still can't get to the SQL server....AAAAAAAAAAAAHHH
So where from here....
1). monitoring the IIS connection with the default login, it seems to be
using Negotiate protocol but defaulting back to NTLM
2). If you force a kerberos windows login the IIS seems to use kerberos
bot I still don't know if I am getting a kerberos ticket issued ???
or
do I still not have rights from the iis machine \ a user to get to the sql
server
any assistance appreciated