Weird delegation behaviour

[Sir W]

I'm currently facing a weird impersonation/delegation issue.

I have a very simple web form opening a SQL Connection to a SQL Server
database sitting on a different server and requesting a simple SELECT
query. The web form uses Windows authentication and Impersonation and
seems to work quite well but on two clients. When the web form is
accessed from those two clients, the worker process correctly
impersonates the user (at least,
System.Security.Principal.WindowsIdentity.GetCurrent().Name gives the
expected result) but the SQL Connection Open method always fails with
"Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'" error.

We tried different users on those two clients with the same result: it
appears that impersonation doesn't work from those two clients. What is
driving me crazy is that after a succesful Windows authentication, it
should be up to the server to do the impersonation and the delegation,
so the client shouldn't be involved in the process.

Is it possible for a client to request a ticket not valid for
delegation?
Any ideas how to troubleshoot the issue?

TIA,

Andrea

 

[Joe Kaplan \(MVP - ADSI\)]

Is it possible that those two users are authenticating with NTLM instead of
Kerberos? That would break delegation.

If you enable logon auditing (success and failure) on the web server and
check the security event log, you should see what type of logon was
performed.

A packet sniffer like Ethereal should also be able to tell you.

Joe K.

 

[Sir W]

Is it possible that those two users are authenticating with NTLM instead of
Kerberos? That would break delegation.

Joe,

you're absolutely right, thanks! I completely forgot there was a life
before Kerberos!

Thanks again,

Andrea