We have 3 seperate machines. All win2k3. One is the dc with ad, one with an
issserver and one with a sqlserver 2000. The isserver is configured with
"Integrated security". We want only domain users to get on the local website
and to have their credentials impersonated to the sqlserver that also
checkes the accounts.
I'm trying for a few days now, but i can't get this security model to work.
I use this msdn document for troubleshooting:
http://www.microsoft.com/technet/pr...y/tkerbdel.mspx
I've been searching google for the error: Login failed for user '(null)'.
Reason: Not associated with a trusted SQL Server connection
Nothing helps.
So far i checked all spn's for the 3 machines, made sure the machines were
trusted for delegation, made sure the users are ok for delegation, added the
correct logons on the sqlserver. edited the machine.config with impersonate
= true. tried various connection strings including trusted_connection=yes
and integrated security=SSPI.
Any suggestion are appriciated..Follow the tshooting steps in this article.
319723 INF: SQL Server 2000 Kerberos support including SQL Server virtual
http://support.microsoft.com/?id=319723
The three tools you need to resolve/tshoot this are:
1. Kerbtray
2. Network Monitor
3. Netdiag
You'll want to enable Kerberos logging on IIS as well.
You need to first make sure a web client can authenticate to IIS via
Kerberos. If this isn't working, (this is the first hop), then everything
else
will fail.
Hope this helps.
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.|||Well so far i got the Kerberos to the IIS server working.
The test page gives me Negotiate and a domain username when i open it from a
remote machine.
The SQLServer won't get the Kerberos ticket though.
On my IIS machine i see the following tickets:
host/iisserver.domain.local
krbtgt/domain.local
So that should be ok i guess.
The SQL Server is upgraded with SP3 and on tcp/ip connection only.
I set the spn MSSQLSvc/sqlserver.domain.local:1433, though i presume that's
not neccesary, it runs on a local admin account and is the only one in the
domain.
I gave domain users full control on all tables for testing ...
Someone some suggestion how to correctly debug the connection between the
IIS end the SQL server?
"Kevin McDonnell [MSFT]" <kevmc@.online.microsoft.com> schreef in bericht
news:EcrzgqQGFHA.1136@.TK2MSFTNGXA02.phx.gbl...
> Follow the tshooting steps in this article.
> 319723 INF: SQL Server 2000 Kerberos support including SQL Server virtual
> http://support.microsoft.com/?id=319723
> The three tools you need to resolve/tshoot this are:
> 1. Kerbtray
> 2. Network Monitor
> 3. Netdiag
> You'll want to enable Kerberos logging on IIS as well.
> You need to first make sure a web client can authenticate to IIS via
> Kerberos. If this isn't working, (this is the first hop), then everything
> else
> will fail.
> Hope this helps.
> Kevin McDonnell
> Microsoft Corporation
> This posting is provided AS IS with no warranties, and confers no rights.
>
>|||Yes. Check the DC logs for errors like duplicate SPN's. The problem with
this message is that it doesn't tell you
where the duplicates are or with what account.
To do some more digging.
There's also a quick query you can run to check for duplicate spn's.
ldifde -d "CN=Users,DC=<betaland>" -l servicePrincipalName -F
<NewoutputUsers>.txt This syntax creates a file named NewoutputUsers.txt
that contains information that is similar to the output in the "Domain
level
output of NewouputUsers.txt" section in this article.
Then check the output for multiple references to your SQL Server hostname.
Last step is to make a network trace and look for Kerberos failures. Run
the trace from IIS and capture all the traffic to SQL.
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment