3

WHAT I WANT: An App running on an IIS Server SQL running on SQLServer

And my user running the site on thier machine and connecting to SQL using their credentials.

WHAT I HAVE SET UP: I have 3 machines 1 running AD (ADMachine), 1 running SQL Server (mySQLSERVER) and one running IIS (MyIIS).

I have a site on IIS running under the Default Website which navigates to http://MySite/MyApp

I have an app pool with a custom identify of MyDomain\MyServiceUser

have set up 2 SPN's using setspn -a HTTP/mySite MyDomain\MyServiceUser setspn -a HTTP/mySite/MyApp MyDomain\MyServiceUser

MY ISSUE: Error: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' on the page that connects to SQL

I have set up this test page on my site, and am getting an Authentication Method of Negotiate(NTLM) and not Negotiate(Kerberos) http://blogs.msdn.com/b/friis/archive/2013/01/08/asp-net-authentication-test-page.aspx

To confuse matters even more, Kerberos is correctly used when fiddler is open, and stops being used when fiddler is closed.

Todd Wilcox
  • 2,831
  • 2
  • 19
  • 31
Noreen
  • 31
  • 1
  • 3
  • Have you run the DelegConfig utility? http://blogs.msdn.com/b/chaun/archive/2013/09/15/some-tips-on-setting-up-the-delegconfig-tool.aspx – Greg Askew Feb 16 '15 at 15:38
  • I have tried, but it doesn't seem to work, all the documentation is for lower versions of IIS than 8 so not sure if that is why. – Noreen Feb 16 '15 at 15:39

1 Answers1

1

Windows design issue, it's a negotiation issue, you can go for Kerberos only in authentication(and adapt the clients to that) or configure IIS for both. An extensive guide has been published here http://blogs.msdn.com/b/chiranth/archive/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis.aspx

Alex H
  • 1,814
  • 11
  • 18
  • To add insult to injury my site works correctly if I have fiddler open. I need the authentication to be Kerberos in order for this to work. – Noreen Feb 16 '15 at 15:34
  • 1
    This covers IIS 6 and IIS 5, I am using IIS 8 – Noreen Feb 16 '15 at 15:40
  • http://blogs.msdn.com/b/chiranth/archive/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis.aspx just put it to negotiate afterwards. It's for IIS 7/ 7.5 from what I've seen but you will have no issues for 8. – Alex H Feb 16 '15 at 16:08
  • Here you can see some troubleshooting tips http://developers.de/blogs/damir_dobric/archive/2009/08/16/configuring-and-troubleshooting-ntlm-and-kerberos-on-windows-7-windows-server-2008-and-iis7.aspx. – Alex H Feb 16 '15 at 16:10