1

I have a typical double hop scenario, User ->IIS->SQL.

I am using IIS 7.5, which is using Kernal Model Authentication, so I am setting up the IIS server account for delegation.

If I set this to "Trust this computer for delegation to any service" enter image description here

Then it works fine. However, I would like to use constrained delegation to work. I have setup SPN's for the SQL server (for both SQLServer and SQLServer.domain.com) and tested the setup using DelegConfig, which says it is fine, but it does not work.

Does anyone know of a way to see what SPN is being used when I run this with Unconstrained delegation, so I can set this up for constrained? Or any other solutions?

Sam Cogan
  • 38,158
  • 6
  • 77
  • 113

2 Answers2

0

I would enable Kerberos logging on the IIS machine. This surfaces a lot of helpful information, including SPN's and related errors. Takes effect without a restart on Windows Server 2008. 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"LogLevel"=dword:00000001

NetMon may also show SPN's.

Are the IIS and SQL servers in the same AD Domain?

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • Yes, they are on the same domain. Will check logging now. – Sam Cogan Feb 21 '11 at 12:01
  • I would second the NETMON or WireShark as you can specifically target the Kerberos protocol packets using in-built display filter and get all the SPN and whether they succeed or not. – KAPes Feb 21 '11 at 18:17
0

Can you post the SPNs you set for SQL? Have you confirmed they're set on the computer account (if SQL is running as Network Service/Local System) or the service account otherwise?

Brian Desmond
  • 870
  • 4
  • 7