Delegation: the usual double hop question...

J

JimLad

In advance, sorry if this is the wrong group...

SQL Server 2000 SP3 on Server 2003. SQL Account and Computer both
Trusted for Delegation. Given SPN.

IIS 5.0 on W2000. Kerberos enabled. Computer Trusted for Delegation.
Integrated Windows Authentication selected. Medium pooled. Not the
default website - using IP address to connect from client.
IWAN_<computername> local account is running as part of operating
system and trusted for delegation. (Does anything need to be SPN'd?)

ASP App using trusted ADO connections (impersonation by default as
classic ASP)

User (me) Trusted for Delegation on a client XPSP2 machine. IE6
Kerberos enabled. Proxy bypassed for local addresses.

Getting the classic Double Hop. Any ideas???? You'd think there'd be
some better error messages!

Cheers,

James
 
J

JimLad

Hi Ken,

Thnaks but I've been through a lot of the Microsoft documentation.
Incidently the most useful was:

http://www.microsoft.com/technet/pr...003/technologies/security/tkerbdel.mspx#ETUAG


Some specific questions: -

I have seen a lot written about using FQDNs for Kerberos.
Does this mean that in my ADO and ADO.NET connection strings I need to
specify a fuller ServerName?

Can I use IP addresses and ports with kerberos?
i.e. I think I can use these:
http://computername.domainname
http://hostname
but can I use these?
http://IPAddress
http://computername.domainname:81
http://computername

I am running IIS5.0 and IIS6.0 (different web servers but both need to
delegate), so need answers for both of these. I am running apps medium
pooled and probably running services using the default accounts.

So I am a little unclear on what SPNs I need to register for IIS, ASP,
ASP.NET etc. Currently only the 2 server SPNs (FQDN and NetBIOS) are
registered. And also what accounts I need to change security settings
on?

Oh and while we're talking about this, I suppose you can use delegation
with SQL Virtual Directories? Otherwise this is all pointless.

Cheers,

James
 
J

JimLad

Hi Ken,

Thnaks but I've been through a lot of the Microsoft documentation.
Incidently the most useful was:

http://www.microsoft.com/technet/pr...003/technologies/security/tkerbdel.mspx#ETUAG


Some specific questions: -

I have seen a lot written about using FQDNs for Kerberos.
Does this mean that in my ADO and ADO.NET connection strings I need to
specify a fuller ServerName?

Can I use IP addresses and ports with kerberos?
i.e. I think I can use these:
http://computername.domainname
http://hostname
but can I use these?
http://IPAddress
http://computername.domainname:81
http://computername

I am running IIS5.0 and IIS6.0 (different web servers but both need to
delegate), so need answers for both of these. I am running apps medium
pooled and probably running services using the default accounts.

So I am a little unclear on what SPNs I need to register for IIS, ASP,
ASP.NET etc. Currently only the 2 server SPNs (FQDN and NetBIOS) are
registered. And also what accounts I need to change security settings
on?

Oh and while we're talking about this, I suppose you can use delegation
with SQL Virtual Directories? Otherwise this is all pointless.

Cheers,

James
 
K

Ken Cox [Microsoft MVP]

Hi Jim,

You're probably better off to post this in the Security newsgroup where they
deal with permissions all the time.

Ken
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top