Monday, April 21, 2008

Kerberos authentication & delegation for SQL Server & IIS

To use Kerberos authentication

All computers must be in the same Active Directory forest or in domains in separate forests with trust relationships.
You must configure the Web server or application server machine accounts in Active Directory for delegation. Alternatively, if your ASP.NET application runs under a specific custom domain account, you can configure the domain account for delegation.
IIS must be configured for Windows authentication, or for certificate authentication with certificate mapping.
You must enable impersonation in your applications Web.config (see "How to impersonate the original caller").

http://www.securityguidanceshare.com/wiki/ASP.NET_2.0_Security_Questions_and_Answers_-_Impersonation_/_Delegation

Check SPN
setspn -L Machine_Name
Setspn -A http/www.microsoft.com (DNS) webserver1 (NetBIOS Name) [this is the one I made Reporting service works]
Check IIS Authentication method:
cscript c:\InetPub\Adminscripts\adsutil.vbs get w3svc/NTAuthenticationProviders

Grant delegation permission to the SQL Server service account domain user account (if not using localSystem account)

How to use Kerberos authentication in SQL Server
http://support.microsoft.com/kb/319723/en-us

1 comment:

George Wen said...

twi additional useful articles:
You receive an "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials" error message when you try to access a Web site that is part of an IIS 6.0 application pool
http://support.microsoft.com/?id=871179
You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6
http://support.microsoft.com/?kbid=896861