Iis – Kerberos constrained delegation not working

active-directorydelegationiissql

I have a typical double hop scenario, User ->IIS->SQL.

I am using IIS 7.5, which is using Kernal Model Authentication, so I am setting up the IIS server account for delegation.

If I set this to "Trust this computer for delegation to any service"
enter image description here

Then it works fine. However, I would like to use constrained delegation to work. I have setup SPN's for the SQL server (for both SQLServer and SQLServer.domain.com) and tested the setup using DelegConfig, which says it is fine, but it does not work.

Does anyone know of a way to see what SPN is being used when I run this with Unconstrained delegation, so I can set this up for constrained? Or any other solutions?

Best Answer

I would enable Kerberos logging on the IIS machine. This surfaces a lot of helpful information, including SPN's and related errors. Takes effect without a restart on Windows Server 2008.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"LogLevel"=dword:00000001

NetMon may also show SPN's.

Are the IIS and SQL servers in the same AD Domain?

Related Solutions

Sql-server – Set up delegation trust for domain user

Generally you need to register both the FQDN SPN and the Netbios name SPN: MSSQLSvc/svra.mydomain.com:1433 AND MSSQLSvc/svra:1433

For the secondary instance (inst2) you need an SPN for that instance's TCP port MSSQLSvc/svra:1500 (for example)

Also, if the SQL Server service process runs under a domain account you need to specify that as well, eg

MSSQLSvc/svra.mydomain.com:1433

Note that if you run the SQL Server service process as LOCALSYSTEM, these SPNs are created automatically.

Finally, you need to set the "Trusted for delegation" flag on the IIS server's computer account in the domain.

Constrained Delegation works if App Pool is Local System but not if Network Service in IIS 7

I believe I have found the resolution - if I set the useAppPoolCredentials property of system.webServer/security/authentication/windowsAuthentication to "true" then the AppPool with NetworkService works fine with the Constrained Delegation.

Tested on both Windows Server 2008 and 2008 R2.

I am unsure why this is, and I did find it very hard to get really clear documentation on what this setting does and how it may effect this situation. You can set this value through the Configuration Editor in IIS Manager for IIS on 2008 R2.
Or use the following command (only way I found to do it for 2008 (not R2)):

%windir%\system32\inetsrv\appcmd set config "Default Web Site/MyApplication" /section:system.webServer/security/authentication/windowsAuthentication /useAppPoolCredentials:true /commit:MACHINE/WEBROOT/APPHOST

Best Answer

Related Solutions

Sql-server – Set up delegation trust for domain user

Constrained Delegation works if App Pool is Local System but not if Network Service in IIS 7

Related Topic