impersonation

N

Noël Thoelen

I would like to use KERBEROS delegation to access an SQL Server database
from an ASP.NET application.
So, I have set up a website, disabled anonymous access and checked the
windows integrated security.
In the ASP.NET applicatie, the web config file contains
<authentication mode="Windows" />
<identity impersonate="true" />
Both the IIS and the SQL server are part of a domain. So, when I browse to
the site using an domain account
the site will open fine. However, when i try to open a database connection
using the 'Integrated security=SSPI option i always get the error:
Login failed for user '(null)'. Reason: Not associated with a trusted SQL
Server connection.
When I open the database by using SQL authentication, everything works fine.
On the IIS, the Webservice is running under local system account, and so is
the SQL Server.
In AD I have set the 'Trust computer for delegation' flag for both the IIS
and the SQL as stated in the 'Troubleshoot KERBEROS delegation' document,
but still without any luck

Does somebody has encountered this problem already ?
 
N

Noël Thoelen

I was looking around in some of the other posts in this newsgoup and
something came up to me.
I am using an lmhost file to reach the site. So, the site is not reached
using DNS. Could this be the problem ?
 
K

Ken Schaefer

If you are accessing the site using a name other than registered name, you
will need to use setSPN.exe and register a new service principal name:
http://support.microsoft.com/?id=294382

Other things you should read/use to troubleshoot the issue:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
-and-
http://www.microsoft.com/downloads/...77-4a21-4066-bd22-b931f7572e9a&DisplayLang=en

You basically need to work your way thoroughly from client through to
backend SQL Server to make sure everything is setup correctly, eg is IE
configured to use Kerberos? is IIS sending appropriate authentication
headers? are SPNs registered correctly? Is delegation enabled properly? etc

Cheers
Ken
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Delegation / Impersonation problem 0
Can't get Impersonation / delegation to work 2
problem connecting to dbase from webservice with impersonation 11
Impersonation, Delegation & SQL Server 2
Impersonation and double hop 3
Impersonation and delegation 1
Impersonation with SQL Server SSPI 3
Impersonation fails on intranet site 0

Members online

Total: 27 (members: 2, guests: 25)
Robots: 456

Forum statistics

Threads
473,770
Messages
2,569,583
Members
45,075
Latest member
MakersCBDBloodSupport

Latest Threads

Top